These tools and products are designed to identify vulnerabilities in web-based applications. They may consist of XSS checks, SQL injection attacks, vulnerabilities in CMS software, vulnerabilities in installed software packages, Java or JavaScript issues, or brute force attacks. Typically they offer what is known as "black-box" testing, meaning that it comes at the website from the Internet, and doesn't know anything about the box or software. Some of the tools and products listed here also include source code scanners and other checks to help improve the security of web-based applications. A source code scanner is a "glass-box" test, as it can now see the code on the web server itself, not just what is presented to the Internet.
The commercial tools often use a vulnerability database that is used to check for known vulnerabilities that could be exploited in web-based attacks. They may require a subscription fee as well as the product purchase to keep the vulnerability database up to date.
There is a separate category for the online and Security as a Service (SaaS) scanning tools, as they are really a different beast from tools that you install and run yourself. You are trusting a website or a company to scan your site correctly, and not act on vulnerabilities identified. Be sure to check Online and SaaS Website Scanners as well if an online tool will meet your needs.
Articles and other information
- How to choose a Web Vulnerability Scanner - article by Robert Abela of Acunetix
- Web Application Security Scanner Evaluation Criteria - published by the Web Application Security Consortium
- Web App Pentesting - PenTest Magazine - by The Hacker News