Grabber is a web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
- Cross-site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
Vega
Vega is another free open-source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI-based environment. It is available for OS X, Linux and Windows. It can be used to find SQL injection, header injection, directory listing, shell injection, cross-site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.
Zed Attack Proxy
Zed Attack Proxy is also known as ZAP. This tool is open-source and is developed by OWASP. It is available for Windows, Unix/Linux and Macintosh platforms.
These are the key functionalities of ZAP:
- Intercepting proxy
- Automatic scanner
- Traditional but powerful spiders
- Fuzzer
- Web socket support
- Plug-n-hack support
- Authentication support
- REST-based API
- Dynamic SSL certificates
- Smartcard and client digital certificates support
Wapiti
Wapiti is a web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect the following vulnerabilities:
- File disclosure
- File inclusion
- Cross-site scripting (XSS)
- Command execution detection
- CRLF injection
- SEL injection and XPath injection
- Weak .htaccess configuration
- Backup file disclosure
- Many others
W3af
W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It was developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, cross-site scripting and many others.
You can access source code at the GitHub repository here.
Download it from the official website here.
WebScarab
WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool.
Skipfish
Skipfish is another nice web application security tool. It crawls the website and then checks each page for various security threats. At the end, it prepares the final report.
Ratproxy
Ratproxy is an open-source web application security audit tool which can be used to find security vulnerabilities in web applications. It supports Linux, FreeBSD, MacOS X and Windows (Cygwin) environments.
SQLMap
SQLMap is another popular open-source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerabilities in a website’s database. It has a powerful detection engine and many useful features. This way, a penetration tester can easily perform an SQL injection check on a website.
Wfuzz
Wfuzz is another freely available open-source tool for web application penetration testing. It can be used to brute-force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, proxy, authentication, parameter brute-forcing, multiple proxy and many other things.
Grendel-Scan
Grendel-Scan is another nice open-source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh and was developed in Java.
Watcher Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but an add-on of Fiddler, so you need to install Fiddler first and then install Watcher to use it.
Arachni Arachni is an open-source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL injection, XSS, local file inclusion, remote file inclusion, unvalidated redirect and many others.
