hsecscan alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

Alternatives (by tag)

100

Alternative: vFeed

vFeed is a set of tools around correlated vulnerability and threat intelligence. It provides a database, API, and supporting tools to store vulnerability data.

vFeed consists of a database and utilities to store vulnerability data. It uses third-party references and data, which then can be used to see if a software component has a known vulnerability. The data itself is enriched by cross-checking it and store additional details about the vulnerabilities.

The vFeed tooling has an API available with JSON output. It can be used by security researchers and practitioners to validate vulnerabilities and retrieve all available details.

Project details

vFeed is written in Python.

Strengths

  • + Commercial support available
  • + The source code of this software is available

Typical usage

  • security assessment
  • vulnerability scanning

vFeed project page

74

Alternative: django-security

Django-security is a toolkit for the Django framework with the focus on security. It provides models, views, and middleware to strengthen the defenses.

Project details

django-security is written in Python.

Strengths

  • + More than 10 contributors
  • + The source code of this software is available

Typical usage

  • application security

django-security project page

67

Alternative: OSHP (OWASP Secure Headers Project)

The OSHP project collects data regarding HTTP headers and their usage. It tries to inform adoption rates and increase usage.

OSHP is short for OWASP SecureHeaders Project.

Project details

OSHP is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • data extraction
  • information gathering
  • information sharing
  • security awareness

OSHP project page

64

Alternative: shcheck (Security Header Check)

Security header check (shcheck) is a security tool to scan web applications and their HTTP headers. It can help securing web applications or detect weaknesses.

Project details

shcheck is written in Python.

Strengths

  • + Very low number of dependencies
  • + The source code of this software is available

Weaknesses

  • - No releases on GitHub available

Typical usage

  • application security
  • web application analysis

shcheck project page

89

Alternative: Arachni

Web Application Security Scanner aimed towards helping users evaluate the security of web applications

Arachni is framework written in Ruby with focus on evaluating the security of web applications. Typical users include security professionals and system administrators.

The tooling is free and open source. Besides Linux, it also runs on macOS and Microsoft Windows.

Project details

Arachni is written in Ruby.

Strengths

  • + More than 1000 GitHub stars
  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment
  • web application analysis

Arachni project page

96

Alternative: Commix

Commit is a security tool to test web applications and find vulnerabilities related to command injection attacks. It can be used during security assignments.

Commix is short for COMMand Injection eXploiter.

Project details

Commix is written in Python.

Strengths

  • + More than 10 contributors
  • + More than 1000 GitHub stars
  • + The source code of this software is available

Commix project page

84

Alternative: django-axes

Django-axes is a reusable app for Django to limit the brute force login attempts for your web application.

Project details

django-axes is written in Python.

Strengths

  • + More than 50 contributors
  • + The source code of this software is available

Typical usage

  • application security

django-axes project page

64

Alternative: DorkNet

DorkNet helps with the discovery of vulnerable web apps. It is a script written in Python that leverages Selenium.

Project details

DorkNet is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • vulnerability scanning
  • web application analysis

DorkNet project page

64

Alternative: Jackhammer

Jackhammer is a collaboration tool to get security and developer teams together. Focus is on static code analysis and dynamic analysis vulnerability discovery.

The tool uses RBAC (Role Based Access Control) with different levels of access. Jackhammer uses several tools to do dynamic and static code analysis (e.g. for Java, Ruby, Python, and Nodejs). It checks also for vulnerabilities in libraries. Due to its modular architecture, it can use several scanners out of the box, with options to add your own.

The Jackhammer project was initially added to GitHub on the 8th of May, 2017.

Project details

Jackhammer is written in Ruby.

Strengths

  • + The source code of this software is available

Typical usage

  • collaboration
  • information sharing

Jackhammer project page

64

Alternative: Jawfish

Jawfish is a security tool to test web applications. It can find related exploits and update according to an internal database.

Project details

Jawfish is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning
  • web application analysis

Jawfish project page

89

Alternative: jSQL Injection

jSQL Injection is a security tool to test web applications. It can be used to discover if an application is vulnerable to SQL injection attacks.

Project details

jSQL Injection is written in Java.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Full name of author is unknown

Typical usage

  • database security

jSQL Injection project page

64

Alternative: Spaghetti

Spaghetti is a web vulnerability scanner to find flaws in common web applications and frameworks. It can perform fingerprinting and vulnerability discovery.

Project details

Spaghetti is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • vulnerability scanning
  • vulnerability testing

Spaghetti project page

74

Alternative: Suhosin

Suhosin is a security extension for PHP and consists of two parts that enhance PHP. It helps with protecting against known and unknown attacks.

Project details

Suhosin is written in C.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Well-known tool

Typical usage

  • application security

Suhosin project page

64

Alternative: Susanoo

Susanoo is a security tool to test the security of a REST API. With this focus, it goes beyond the typical attack surface of a web application.

Project details

Susanoo is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • API testing
  • application testing

Susanoo project page

59

Alternative: Wapiti

Wapiti is a security tool to perform vulnerability scans on web applications. It uses fuzzing to detect known and unknown paths, among other tests.

Project details

Wapiti is written in Python.

Strengths

  • + The source code of this software is available
  • + Well-known tool

Weaknesses

  • - No updates for a while

Typical usage

  • vulnerability scanning
  • web application analysis

Wapiti project page

78

Alternative: WhatWeb

WhatWeb is a security tool written in Ruby to fingerprint web applications. It helps with detecting what software is used for a particular web application.

Project details

WhatWeb is written in Ruby.

Strengths

  • + More than 25 contributors
  • + More than 1000 GitHub stars
  • + The source code of this software is available

Weaknesses

  • - No releases on GitHub available

Typical usage

  • reconnaissance
  • web application analysis

WhatWeb project page

64

Alternative: Yasuo

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications.

Project details

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • vulnerability scanning
  • web application analysis

Yasuo project page

56

Alternative: Admin Page Finder (PHP)

Admin Page Finder is a tool written in PHP to find admin sections within a website. It can be used during pentesting and security assessments.

Project details

Admin Page Finder (PHP) is written in PHP.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Unknown project license

Typical usage

  • penetration test
  • reconnaissance

Admin Page Finder (PHP) project page

59

Alternative: BlindElephant

BlindElephant is a security tool to perform fingerprinting of web applications. It can discover the name and version of known web applications.

93

Alternative: ZAP (zaproxy)

The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.

ZAP is an intercepting proxy of web traffic. You will need to configure your browser to connect to the web application you wish to test through ZAP.

Note: Zed Attack Proxy, or ZAP, is also known as zaproxy.

Project details

ZAP is written in Java.

Strengths

  • + More than 50 contributors
  • + More than 2000 GitHub stars
  • + Many maintainers
  • + The source code of this software is available

Weaknesses

  • - Many reported issues are still open

Typical usage

  • penetration test
  • security assessment
  • software testing

ZAP project page

56

Alternative: Metagoofil

Metagoofil is an information gathering tool with focus extracting any metadata from public documents.

Metagoofil will perform a search in Google based on the given domain name. Any public documents will be downloaded and analyzed. For this task it uses libraries like Hachoir, PdfMiner, and others. Useful details include username, software versions, hostnames, etc.

File types: pdf, doc, xls, ppt, docx, pptx, xlsx

Project details

Metagoofil is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • penetration test

Metagoofil project page

85

Alternative: SSLyze

SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.

78

Alternative: XSS Hunter

XSS Hunter helps with finding XSS attacks and trigger a warning when one is succesful. It exists as an online service, or self-hosted installation.

By using a specific link, XSS Hunter can see when some attack successfully is triggered. It will then store information like the vulnerable page's URI, referer, HTML DOM, the screenshot of page, and cookies. Regarding the victim, it stores the IP address and the user agent.