Skip to main content

Website Scanners

These tools and products are designed to identify vulnerabilities in web-based applications.  They may consist of XSS checks, SQL injection attacks, vulnerabilities in CMS software, vulnerabilities in installed software packages, Java or JavaScript issues, or brute force attacks.  Typically they offer what is known as "black-box" testing, meaning that it comes at the website from the Internet, and doesn't know anything about the box or software.  Some of the tools and products listed here also include source code scanners and other checks to help improve the security of web-based applications.  A source code scanner is a "glass-box" test, as it can now see the code on the web server itself, not just what is presented to the Internet.

 

The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks.  They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.

 

 

There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself.  You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified.  Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.

 

Articles and other information

Acunetix Ltd

Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. Acunetix Web Vulnerability Scanner inc ...

Chinotec Technologies Company

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cooki ...

Paros Proxy

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-init ...

PortSwigger Ltd.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, versions on over 1200 servers, and version specific problems on over 270 serv ...

Nikto

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its mo ...

The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. The following are some notable Pantera Features: * User-friendly custom web GUI. (CSS): Pantera itself is a web appl ...

A regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla! web site. Overview Joomla! is probably the most widely-used CMS out there ...

WebsiteDefender

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: 1. Passwords 2. File permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security ...

Mavituna Security Ltd

Netsparker is the first and only false-positive free web application security scanner. It can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual at ...

Netsparker - Web Application Security Scanner
PortSwigger Ltd.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

A fully automated, active web application security reconnaissance tool. Key features: * High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. * ...

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.

SCNR is a modular, distributed, high-performance DAST web application security scanner framework, capable of analyzing the behavior and security of modern web applications and web APIs. It is inspired and built by the more than a decade of experience gat ...

SCNR

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and funct ...

Andrés Riancho

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. The framework is extended using plugins. For now, think about nessus p ...

w3af