Web application security tools


Highlighted tools

Some of the web application security tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» True specialist = ZAP

Popular web application security tools

Arachni (web application scanner)

penetration testing, security assessment, web application analysis

Web Application Security Scanner aimed towards helping users evaluate the security of web applications

SQLMate (a friend of SQLMap with additional features)

penetration testing, web application analysis

SQLMate is a tool to perform security assessments and vulnerability of web applications. It can discover admin panels of websites, which might be a way to break into a web application. It also has the option for dorking, which means it can find possible vulnerable targets to a particular attack.

Wfuzz (web application fuzzer)

application fuzzing, application security, application testing, web application analysis

Wfuzz is a fuzzing tool written in Python. Tools like Wfuzz are typically used to test web applications and how they handle both expected as unexpected input.

WordPress Exploit Framework (WordPress exploiting toolkit)

penetration testing, security assessment, vulnerability scanning, web application analysis

The WordPress Exploit Framework (WPXF) provides a set of tools to assess and exploit WordPress installations. It can be used for pentesting and red teaming assignments. The tool is less friendly for beginners, but more experienced pentesters will find no difficulty in using it.

Yasuo (vulnerability scanner for web applications)

penetration testing, vulnerability scanning, web application analysis

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications. There are many remotely exploitable vulnerabilities for web applications and their front-end components. Yasuo helps to make it easier to scan for the weaknesses like remote code execution (RCE), SQL injections, and file inclusions.

ZAP (web application analysis)

penetration testing, security assessment, software testing, web application analysis

The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.

django-security (Security add-ons for Django)

application security

Django-security is an extension for developers seeking more security measures in their Django project. The toolkit can set or activate particular settings improving security. Examples of these settings include the use of particular HTTP headers that increase the security defenses of the web application.

Part of the toolkit is middleware to enforce password strength, set the do-not-track header, enable content security policy (CSP), enable privacy policy (P3P), limit session…

seespee (crawler to create CSP header)

application security

Seespee helps to crawl a website and define a suitable Content Security Policy (CSP). The related Content-Security-Policy header can be added with the discovered value. This header defines what local and external resources can be loaded on a website.

w3af (web application attack and audit framework)

application security, application testing, penetration testing, vulnerability scanning, web application analysis

W3af is an open source web application attack and audit framework and helps in scanning for vulnerabilities. The tool comes with both a graphical user interface (GUI) and command line utility. Some of the project files include a copyright line of 2006. That gives a good idea on the maturity of the project, and it is one of the rare tools that is still maintained after so many years.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.

Related topics

Looking for more specific topics within this tool group? Have a look at the following relevant topics.