Website security audit tools

Tools

Arachni (web application scanner)

penetration testing, security assessment, web application analysis

Web Application Security Scanner aimed towards helping users evaluate the security of web applications

JoomScan (vulnerability scanner for Joomla CMS)

vulnerability scanning, vulnerability testing

JoomScan could be used to test your Joomla installation or during security assessments. As it has a primary focus on Joomla, it may provide better results than generic vulnerability scanners.

Nikto (web application scanner)

penetration testing, security assessment, web application analysis

Nikto helps with performing security scans against web servers and to search for vulnerabilities in web applications.

shcheck (test HTTP headers of web applications)

application security, web application analysis

This simple tool is a good option to test if advised HTTP headers are available on web application and websites. It can be used as a defensive measure during development, or offensive to find weaknesses in existing applications.

Tulpar (web vulnerability scanner)

application security, application testing, web application analysis

Tulpar is a vulnerability scanner that can be used to test new or existing web applications. In the former case, it could be helpful to test a new project before it is deployed into production. This could be done by the developer or a security professional. If some web application is already in production, then it might be a good tool to perform regular testing on known vulnerabilities. In this case, it is typically a pentester or security specialist that does the testing.

VHostScan (virtual host scanner)

penetration testing, reconnaissance

Tools like VHostScan are powerful to perform reconnaissance and discover configuration defaults. This can be useful during penetration tests or security testing, to see if a system has been stripped from default pages. If not, this tool might discover them and provide valuable information about the system.

Wapiti (vulnerability scanner for web applications)

application fuzzing, vulnerability scanning, web application analysis

Wapiti is typically used to audit web applications.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.