Website ScannersRSS

These tools and products are designed to identify vulnerabilities in web-based applications.  They may consist of XSS checks, SQL injection attacks, vulnerabilities in CMS software, vulnerabilities in installed software packages, Java or JavaScript issues, or brute force attacks.  Typically they offer what is known as "black-box" testing, meaning that it comes at the website from the Internet, and doesn't know anything about the box or software.  Some of the tools and products listed here also include source code scanners and other checks to help improve the security of web-based applications.  A source code scanner is a "glass-box" test, as it can now see the code on the web server itself, not just what is presented to the Internet.

 

The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks.  They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.

 

 

There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself.  You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified.  Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.

 

Articles and other information

Tenable Network Security

The Nessus vulnerability scanner is the world leading vulnerability scanner, with over five million downloads to-date. Nessus is currently rated among the top vulnerability scanners throughout the security industry and is endorsed by professional security ...

Modified
Integrigy Corporation
Commercial
Pricing Model

AppSentry is a new generation of security scanner and vulnerability assessment tool. Unlike other security scanners, AppSentry knows the application it is validating – its technology and data model. The security audits and checks are written specifically ...

Modified
AppSentry
Acunetix Ltd

Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. Acunetix Web Vulnerability Scanner inc ...

Modified
Chinotec Technologies Company
Freeware
Pricing Model

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cooki ...

Modified
Paros Proxy
Freeware
Pricing Model

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-init ...

ModifiedNever
PortSwigger Ltd.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

Modified

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, versions on over 1200 servers, and version specific problems on over 270 serv ...

Modified
Nikto
Open Source
Pricing Model

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its mo ...

ModifiedNever
Open Source
Pricing Model

The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. The following are some notable Pantera Features: * User-friendly custom web GUI. (CSS): Pantera itself is a web appl ...

Modified
Open Source
Pricing Model

A regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla! web site. Overview Joomla! is probably the most widely-used CMS out there ...

Modified
Freeware
Pricing Model

A Java Hijacking tool for web application session security assessment. A simple Java Fuzzer that can mainly be used for numeric session hijacking and parameter enumeration.

Modified
Mavituna Security Ltd

Netsparker is the first and only false-positive free web application security scanner. It can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual at ...

Modified
Netsparker - Web Application Security Scanner
PortSwigger Ltd.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

Modified
Freeware
Pricing Model

A fully automated, active web application security reconnaissance tool. Key features: * High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. * ...

Modified
Open Source
Pricing Model

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.

Modified

SCNR is a modular, distributed, high-performance DAST web application security scanner framework, capable of analyzing the behavior and security of modern web applications and web APIs. It is inspired and built by the more than a decade of experience gat ...

Modified
SCNR

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and funct ...

Modified
Andrés Riancho
Open Source
Pricing Model

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. The framework is extended using plugins. For now, think about nessus p ...

ModifiedNever
w3af
WebsiteDefender

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: 1. Passwords 2. File permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security ...

Modified

The WPScan CLI tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

Modified
WPScan Wordpress Security Scanner