The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks. They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.
There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself. You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified. Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and appl ...