Skip to main content

Website Scanners

These tools and products are designed to identify vulnerabilities in web-based applications.  They may consist of XSS checks, SQL injection attacks, vulnerabilities in CMS software, vulnerabilities in installed software packages, Java or JavaScript issues, or brute force attacks.  Typically they offer what is known as "black-box" testing, meaning that it comes at the website from the Internet, and doesn't know anything about the box or software.  Some of the tools and products listed here also include source code scanners and other checks to help improve the security of web-based applications.  A source code scanner is a "glass-box" test, as it can now see the code on the web server itself, not just what is presented to the Internet.

 

The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks.  They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.

 

 

There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself.  You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified.  Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.

 

Articles and other information

Acunetix Ltd
Commercial

Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. Acunetix Web Vulnerability Scanner inc ...

Chinotec Technologies Company
Freeware

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cooki ...

Paros Proxy
lcamtuf
Freeware

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-init ...

PortSwigger Ltd.
Commercial

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

CIRT Inc
Open Source

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, versions on over 1200 servers, and version specific problems on over 270 serv ...

Nikto
OWASP
Open Source

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its mo ...

OWASP
Open Source

The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. The following are some notable Pantera Features: * User-friendly custom web GUI. (CSS): Pantera itself is a web appl ...

OWASP
Open Source

A regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla! web site. Overview Joomla! is probably the most widely-used CMS out there ...

WebsiteDefender
Open Source

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: 1. Passwords 2. File permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security ...

Mavituna Security Ltd
Commercial

Netsparker is the first and only false-positive free web application security scanner. It can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual at ...

Netsparker - Web Application Security Scanner
PortSwigger Ltd.
Freeware

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to fi ...

Skipfish
Freeware

A fully automated, active web application security reconnaissance tool. Key features: * High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. * ...

Open Source
Open Source

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.

Ecsypno
Limited Free Trial

SCNR is a modular, distributed, high-performance DAST web application security scanner framework, capable of analyzing the behavior and security of modern web applications and web APIs. It is inspired and built by the more than a decade of experience gat ...

SCNR
OWASP
Open Source

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and funct ...

Andrés Riancho
Open Source

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. The framework is extended using plugins. For now, think about nessus p ...

w3af