Website ScannersRSS

These tools and products are designed to identify vulnerabilities in web-based applications.  They may consist of XSS checks, SQL injection attacks, vulnerabilities in CMS software, vulnerabilities in installed software packages, Java or JavaScript issues, or brute force attacks.  Typically they offer what is known as "black-box" testing, meaning that it comes at the website from the Internet, and doesn't know anything about the box or software.  Some of the tools and products listed here also include source code scanners and other checks to help improve the security of web-based applications.  A source code scanner is a "glass-box" test, as it can now see the code on the web server itself, not just what is presented to the Internet.

 

The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks.  They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.

 

 

There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself.  You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified.  Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.

 

Articles and other information

YGN Ethical Hacker Group
Freeware
Pricing Model

A simple Java Fuzzer mainly used for numeric session hijacking and parameter enumeration. Requirement: JRE/JDK 1.4 or above Demonstrations:    Session Hijacking      BlindSQLInjection      HT ...

Modified
JHijack
Mavituna Security Ltd

Netsparker is the first and only false-positive free web application security scanner. It can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual at ...

Modified
Netsparker - Web Application Security Scanner
NOSEC Technologies Co., Ltd.

What is JSky? JSky is a web vulnerability scanner, web application vulnerability assessments tool. What can JSky do? It's a Web Application Security Vulnerability scanner, so it can scan these Web Application Security Vulnerabilities: * SQL Injection ...

Modified
PortSwigger Ltd.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

Modified
Freeware
Pricing Model

A fully automated, active web application security reconnaissance tool. Key features: * High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. * ...

Modified
Open Source
Pricing Model

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.

Modified
Open Source
Pricing Model

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the tru ...

Modified
Kyplex Cloud Security
Service
Pricing Model

Kyplex Website antivirus is a free cloud based website virus scanner. The main difference of this service with common antivirus is that you can not tell your antivirus to scan a website but you can ask our service to do it for you.

Modified
Tasos "Zapotek" Laskos

The project was initially started as an educational exercise though it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments.. More than that, Arachni is highly extend-able al ...

Modified
Arachni

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and funct ...

Modified
Andrés Riancho
Open Source
Pricing Model

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. The framework is extended using plugins. For now, think about nessus p ...

ModifiedNever
w3af
WebsiteDefender

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: 1. Passwords 2. File permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security ...

Modified
Ryan Dewhurst, aka ethicalhack3r

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security postur ...

Modified

Vega is a GUI-based, multi-platform (OS X, Linux, Windows), free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vu ...

Modified
Vega
jpfstange@gmail.com

aidSQL is a PHP application provided for detecting security holes in your websites. It's a modular application, meaning that you can develop your very own plugins for SQL injection detection & exploitation.

ModifiedNever
a.c.neumann at gmail.com

Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc. The advantage of Andiparos is ...

Modified

Cenzic Hailstorm Professional is designed for the power user to run their own Web application assessments. It gives you the power of thousands of assessment variants in Cenzic’s SmartAttack™ Library to test for vulnerabilities company-wide. Benefits: ...

ModifiedNever

Cenzic’s Hailstorm Enterprise ARC (Application Risk Controller) is built for the entire organization – Information Security, Developers, QA, Compliance Officers, and Executives – to run assessments and view results / status in a Web-enabled, intelligent d ...

ModifiedNever
ericfish at gmail.com

A web application security scanner and some other security tools.

Modified
Miroslav Štampar

Damn Small SQLi Scanner (DSSS) has been made as a PoC where I wanted to show that commercial (SQLi) scanners can be beaten under 100 lines of code.   It supports GET and POST parameters, blind/error SQLi tests and advanced comparison of different r ...

ModifiedNever

© Computer Network Defence Limited 2021