Web VAPT Tools Comparison

WEB VAPT TOOLS COMPARISON

Web Application VAPT is security testing methods for security holes or vulnerabilities in web applications and corporate websites. Due to these vulnerabilities, websites are left open for exploitation. Nowadays, companies are moving their most critical business and applications process on the web. There is no denying the fact that today, web apps are considered as vulnerability’s major point in the organizations.

The result of web application holes is theft of plenty of credit cards, paramount reputational and financial damage for a lot of enterprises, and also the compromise of several browsing machines that visited those websites which were attacked by hackers. To avoid a scenario like this, WAPT maintains complete security and that is the major reason why it holds utmost importance for an organization. Web Application Penetration Testing is designed for detecting security vulnerabilities within the web-based apps.

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses.

Tool Name	Author/ Company	Free/ Commercial	Open Source?	License	Written in	Used by?
OWASP Zap	OWASP Flagship Project	Free	Yes	Apache License	Java	Researchers and Pentesters
Burp Suite	PortSwigger Ltd.	Both	No	Proprietary	Java	Researchers and Pentesters
tenable.io Web Application Scanner	Tenable Inc.	Commercial	No	Proprietary	JavaScript, AJAX and HTML5	Cooperations
w3af	Andres Riancho	Free	Yes	GNU General Public License	Python	Researchers and Pentesters
Indusface Web Application Scanning	Indusface Inc.	Commercial	No	Proprietary	HTML5, AJAX and JSON	Cooperations
ImmuniWeb On-Demand	ImmuniWeb	Commercial	No	Proprietary	–	Cooperations
Arachni	TasosLaskos	Free	Yes	Arachni Public Source License	Ruby	Researchers and Pentesters
Vega	Subgraph	Free	Yes	The MIT License	Java	Researchers and Pentesters
Veracode Web Application Scanning	Veracode	Commercial	No	Proprietary	–	Cooperations
Wapiti	Nicolas SURRIBAS	Free	Yes	GNU General Public License	Python	Researchers and Pentesters
SQLMap	Bernardo Damele A.G. & Miroslav Stampar	Free	Yes	GNU General Public License	Python	Researchers and Pentesters
IronWASP	LavakumarKuppan	Free	Yes	GNU General Public License	C#, Python and Ruby	Researchers and Pentesters
Skipfish	Michal Zalewski, Niels Heinen&Sebastian Roschke	Free	Yes	Apache License	C	Researchers and Pentesters
ratproxy	Michal Zalewski (Google)	Free	Yes	Apache License	C	Researchers and Pentesters
Grabber	RomainGaucher	Free	Yes	Modified BSD License	Python	Researchers and Pentesters
WFuzz	Xavi Mendez	Free	Yes	GNU General Public License	Python	Researchers and Pentesters
clusterd	Bryan Alexander	Free	Yes	The MIT License	Python	Researchers and Pentesters
DirBuster	OWASP	Free	Yes	GNU General Public License	Java	Researchers and Pentesters
WebScarab	Rogan Dawes (OWASP Project)	Free	Yes	GNU General Public License	Java	Researchers and Pentesters
X5S	Casaba Security	Free	Yes	GNU General Public License	–	Researchers and Pentesters
nikto	Chris Sullo (CIRT.net)	Free	Yes	GNU General Public License	Perl	Researchers and Pentesters
BeEF	Wade Alcorn	Free	Yes	GNU General Public License	Ruby and JavaScript	Researchers and Pentesters
Webshell-Sniper	WangYihang	Free	Yes	GNU General Public License	Python	Researchers and Pentesters
WAFW00f	Sandro Gauci (Enable Security)	Free	Yes	BSD License	Python	Researchers and Pentesters
WhatWeb	Andrew Horton & Brendan Colese	Free	Yes	GNU General Public License	Ruby	Researchers and Pentesters
Paros Proxy	parosproxy.org	Free	Yes	Clarified Artistic License	Java	Researchers and Pentesters
AppScan Standard	HCL (formerly IBM)	Commercial	No	Proprietary	–	Cooperations
Netsparker	Netsparker	Commercial	No	Proprietary	–	Cooperations
HP WebInspect	HP	Commercial	No	Proprietary	–	Cooperations
Grendel-Scan	David Byrne	Free	Yes	Apache License	Java	Researchers and Pentesters
WebReaver	WebSecurify	Free	No	Proprietary	–	Researchers and Pentesters
SamuraiWTF	OWASP	Free	Yes	GNU General Public License	HTML and Ruby	Researchers and Pentesters
URLScan.io	Johannes Gilger	Free	No	Proprietary	–	Researchers and Pentesters
Acunetix Web Vulnerability Scanner	Acunetix Ltd.	Commercial	No	Proprietary	–	Cooperations
Qualys Web Application Scanning	Qualys Inc.	Commercial	No	Proprietary	–	Cooperations
PenTeraTM	Pcysys Ltd.	Commercial	No	Proprietary	–	Cooperations
Imperva RASP	Imperva Inc.	Commercial	No	Proprietary	–	Cooperations

1. OWASP ZAP (Zed Attack Proxy)

• OWASP Flagship Project
• Open Source
• Manual Testing & Automated Testing

It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.
Some of the built in features include: Intercepting proxy server, Traditional and AJAX Web crawlers, automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support. It has a plugin-based architecture and an online ‘marketplace’ which allows new or updated features to be added. The GUI control panel is easy to use.

• Supported platforms – Linux, Windows, OS X
• Written in Java
• License – Apache License
• Rating – Excellent
• Used by – Students, Researcher and Penetration Testers
• https://www.zaproxy.org/

2. Burp Suite

• PortSwigger Ltd.
• Versions Available: Community (Free), Professional (Paid) and Enterprise (for organizations and cooperations)
• Manual Testing & Automated Testing

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

• Written in Java
• Supported platforms – Linux, Windows, OS X, UNIX
• Rating: Excellent
• Used by – Students, Researcher and Penetration Testers (Community and Professional Editions),
• Corporations looking for high level assessment reports and deep vulnerability assessments (Enterprise Edition)
• https://portswigger.net/burp

3. Tenable.io Web Application Scanner

• Tenable, Inc.
• Commercial (available with free trial)
• Automated Testing

Tenable.io WAS is a dynamic application security testing (DAST) application. It crawls a running web application through the front end to create a site map with all of the pages, links and forms for testing. Once it creates a site map, it interrogates the site through the front end to identify any vulnerabilities in the application custom code or known vulnerabilities in the third-party components that comprise the bulk of the application.

• Supported platforms – Linux, Windows, OS X, UNIX
• Minimum hardware requirements –
• CPU: (4) 2 GHz cores
• Core Ram: 16GB RAM
• Hard Drive: 25GB
• Built with JavaScript, AJAX and HTML5
• License: Proprietary
• Rating – Excellent
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• https://www.tenable.com/products/tenable-io/web-application-scanning

4. w3af (Web Application Attack and Audit Framework)

• Developer – AndresRiancho
• Sponsor – Holm Security
• Open Source
• Manual Testing & Automated Testing

w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a graphical user interface (GUI) for the framework. If you want a command-line application only, install w3af-console. The framework has been called the “metasploit for the web”, but it’s actually much more than that, because it also discovers the web application vulnerabilities using black-box scanning techniques!. The w3af core and its plugins are fully written in Python. Holm Security sponsors the project and uses w3af as part of their amazing automated and continuous vulnerability assessment platform.

• Supported platforms – Windows, OS X, Linux, FreeBSD, OpenBSD
• Written in Python
• License – GNU General Public License v2
• Rating – Great
• Used by – Students, Researcher and Penetration Testers
• http://w3af.org/

5. Indusface Web Application Scanning

• Indusface Inc.
• Commercial (Plans – WAS Advanced & WAS Premium)
• Automated Testing

Indusface Web Application Scanning helps detect web application vulnerabilities, malware, and logical flaws with daily or on-demand comprehensive scanning. Managed by certified security experts, Indusface application scanner helps organizations find greater business impact of logical flaws with detailed demonstrations through proof-of-concept.
Indusface’s hybrid approach to web application penetration testing provides rich in-depth automated scanning technology with human intelligence which helps address the most challenging web security issues on a daily basis. This product has a unique centralized vulnerability management facility which gives a single view of the security posture, thereby effectively managing vulnerabilities using a single management dashboard.

• Built on HTML5, AJAX and JSON
• License: Proprietary
• Used by – Corporations looking for high level assessment reports
• https://www.indusface.com/products/application-security/web-application-scanning/

6. ImmuniWeb® On-Demand

• ImmuniWeb
• Commercial (provides various plans according to cooperation size)
• Automated Testing

ImmuniWeb® On-Demand delivers scalable, rapid and DevSecOps-enabled web application penetration testing with tailored remediation guidelines and zero false-positives SLA. It leverages our award-winning AI technology to augment, intensify and accelerate web application penetration testing.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• https://www.immuniweb.com/products/ondemand/

7. Arachni

• Author: Tasos “Zapotek” Laskos
• Open Source
• Manual Testing & Automated Testing

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

• License: Arachni Public Source License v1.0
• Supported platforms – Linux, Windows, OS X
• Written in Ruby
• Built using JavaScript, HTML5, DOM manipulation and AJAX.
• Rating – Great
• Used by – Students, Researcher and Penetration Testers
• http://arachni-scanner.com

8. Vega

• Subgraph (https://subgraph.com/)
• Open Source
• Automated, Manual, and Hybrid Security Testing

Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega can help you find vulnerabilities such as: reflected cross-site scripting, stored cross-site scripting, blind SQL injection, remote file include, shell injection, and others.

• License: Open Source
• Supported platforms – Linux, Windows, OS X, UNIX
• Written in Java
• Used by – Students, Researcher and Penetration Testers
• https://subgraph.com/vega/

9. Veracode Web Application Scanning

• Veracode
• Commercial
• Automated Testing

Veracode Web Application Scanning offers a unified Dynamic Application Security Testing (DAST) solution to find, secure, and monitor your entire portfolio of web applications. With Veracode, you are able to rapidly remediate vulnerabilities on both internal and external web applications, which significantly reduces your risk of a breach. Veracode Web Application Scanning is the security partner you need to be successful both now and into the future.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating – Great
• https://www.veracode.com/products/web-application-scanning-was

10. Wapiti

• Author – Nicolas SURRIBAS
• Open Source
• Manual Testing & Automated Testing

Wapiti allows you to audit the security of your websites or web applications.
It performs “black-box” scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
General features:

• Generates vulnerability reports in various formats (HTML, XML, JSON, TXT…)
• Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases)
• Can give you colors in the terminal to highlight vulnerabilities
• Different levels of verbosity
• Fast and easy way to activate/deactivate attack modules

• License: GNU General Public License v2
• Written in Python
• Rating – Great
• Used by – Students, Researcher and Penetration Testers
• https://wapiti.sourceforge.io/

11. SQLMap
• Authors: Bernardo Damele A. G. (@bdamele)
Miroslav Stampar (@stamparm)
• Open Source
• Manual Testing & Automated Testing

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

• Written in Python
• License: GNU General Public License v2
• Rating – Excellent
• Used by – Students, Researcher and Penetration Testers
• http://sqlmap.org/

12. IronWASP
• Author: LavakumarKuppan
• Open Source
• Manual Testing

IronWASP (Iron Web Application Advanced Security testing Platform) is an open source tool used for web application vulnerability testing. It is designed in such a way that users having the right knowledge can create their own scanners using this as a framework. IronWASPis built using Python and Ruby and users having knowledge of them would be able to make full use of the platform. However, IronWASP provides with a lot of features are simple to understand.

• Written in C#, Python and Ruby
• License: GNU General Public Licensev3
• Rating – Good
• Used by – Students, Researcher and Penetration Testers
• https://github.com/Lavakumar/IronWASP

13. Skipfish
• Authors: Michal Zalewski
Niels Heinen
Sebastian Roschke
• Open Source
• Manual Testing & Automated Testing

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

• Written in C
• License: Apache License, version 2.0
• Rating: Great
• Used by – Students, Researcher and Penetration Testers
• https://github.com/spinkham/skipfish

14. ratproxy
• Author: Michal Zalewski
• Platform: Google
• Open Source
• Manual Testing & Automated Testing

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

• Written in C
• License: Apache License 2.0
• Supported formats: Linux, FreeBSD, MacOS X, and Windows (Cygwin)
• Used by – Students, Researcher and Penetration Testers
• https://code.google.com/archive/p/ratproxy/

15. Grabber
• Author: Romain Gaucher
• Open Source
• Manual Testing & Automated Testing

Grabber is a black box web application vulnerability scanner that looks for SQL Injection,
Blind SQL injection, XSS vulnerability and File include injection. The tool aims to be quite generic, and can work with any kind of web application regardless of the server side programming language. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

• Written in Python
• License: Modified BSD
• Used by – Students, Researcher and Penetration Testers
• http://rgaucher.info/beta/grabber/
• https://gitlab.com/kalilinux/packages/grabber

16. WFuzz
• Author: XaviMendez
• Open Source
• Manual Testing & Automated Testing

WFuzz is a tool designed for brute-forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.

• Written in Python
• License: GNU General Public License v2
• Used by – Students, Researcher and Penetration Testers
• https://github.com/xmendez/wfuzz

17. clusterd
• Author: Bryan Alexander
• Open Source
• Manual Testing & Automated Testing

Clusterd is an open source application server attack toolkit. It automates the fingerprinting, reconnaissance, and exploitation phases of an application server attack.

• Written in Python
• License: The MIT License
• Used by – Students, Researcher and Penetration Testers
• https://github.com/hatRiot/clusterd

18. DirBuster
• Author: OWASP
• Open Source
• Manual Testing & Automated Testing

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.

• Written in Java
• License: GNU General Public License v2
• Used by – Students, Researcher and Penetration Testers
• https://gitlab.com/kalilinux/packages/dirbuster

19. WebScarab
• Author: Rogan Dawes
• OWASP Project
• Open Source
• Manual Testing & Automated Testing

WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented. It aims to become a tool that may be used automatically or interactively to test web applications for their security.

• Written in Java
• License: General Public License v2
• Used by – Students, Researcher and Penetration Testers
• https://wiki.owasp.org/index.php/Category:OWASP_WebScarab_Project#tab=Main

20. X5S
• Casaba Security
• Open Source
• Manual Testing

X5S is designed for penetration testers to help in finding Cross Site Scripting vulnerabilities in web applications. Now, there is an important thing I want to note down here that the tool is not an automatic XSS finding tool. It only lists where the possibilities of XSS are. So you need to be good in XSS and understand how poor encoding issues can lead to XSS in order to use the tool successfully. This tool is for experienced penetration testers only because they know how to exploit poor encodings to inject client side scripts.

• License: Open Source license (General Public License)
• Used by: Researchers and experienced penetration testers
• https://www.casaba.com/products/x5s/

21. nikto
• Project by CIRT.net
• Original Author: Chris Sullo
• Open Source
• Manual Testing & Automated Testing

Nikto is an Open Source (General Public License) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

• Written in Perl
• License: GNU General Public License v2
• Supported platforms – Linux, Windows, OS X, UNIX
• Rating: Excellent
• Used by – Students, Researcher and Penetration Testers
• https://github.com/sullo/nikto

22. BeEF
• Author: Wade Alcorn
• Open Source
• Manual Testing & Automated Testing

BeEF started in 2006 as a Ruby project, developed by a team led by Wade Alcorn. Amid growing concerns about web-borne attacks against both web and mobile clients, BeEF allows penetration testers to assess the security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them to launch directed command modules and further attacks against the system from within the browser context.

• Written in Ruby and JavaScript
• License: General Public License v2
• Supported platforms – Linux, Windows, OS X, UNIX
• Rating: Excellent
• Used by – Students, Researcher and Penetration Testers
• https://beefproject.com/
• https://github.com/beefproject/beef

23. Webshell-Sniper
• Author: WangYihang
• Open Source
• Manual Testing

This tool helps users easily manage the server with a web-shell and can customise their own scripts and write the functions they want to achieve. The existing functions include but are not limited to: file management, database management, suid search, Find database configuration files, download files and more You can develop your own functions by using the API, which is located at: WebShell.py file. Also you can write some script for your own encrypt method to prevent your data from being captured and so on it is all depends on you,

• Written in Python
• License: GNU General Public License v3
• Supported platforms: UNIX, Linux
• Rating: Good
• Used by – Students, Researcher and Penetration Testers
• https://github.com/WangYihang/Webshell-Sniper

24. WAFW00f
• Author: Sandro Gauci (Enable Security)
• Open Source
• Manual Testing

WAFW00f is the inbuilt tool in Kali distribution or else you can install it manually.
It can detect around Top 22 web application firewall, so wafw00f is a phase of information gathering initially.
Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is. If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.

• Written in Python
• License: BSD License
• Supported platforms: UNIX, Linux, Windows, OS X
• Rating: Great
• Used by – Students, Researcher and Penetration Testers
• https://github.com/EnableSecurity/wafw00f

25. WhatWeb
• Author: Andrew Horton & Brendan Colese
• Open Source
• Manual Testing & Automated Testing

WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called ‘stealthy’, is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for use in penetration tests.

• Written in Ruby
• License: GNU General Public License v2
• Rating: Good
• Used by – Students, Researcher and Penetration Testers
• https://www.morningstarsecurity.com/research/whatweb

26. Paros Proxy
• Author: parosproxy.org
• Manual Testing

A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

• Written in Java
• Built on XSLT and HTML
• License: Clarified Artistic License
• Rating: Good
• Used by – Students, Researcher and Penetration Testers
• https://tools.kali.org/web-applications/paros

27. AppScanStandard
• HCL Technologies (formerly IBM)
• Commercial
• Automated Testing

AppScan Standard is a dynamic application security testing tool designed for security experts and pen-testers. Using a powerful scanning engine, AppScan automatically crawls the target app and tests for vulnerabilities. Test results are prioritized and presented in a manner that allows the operator to quickly triage issues and hone-in on the most critical vulnerabilities found. Remediation is made easy using clear and actionable fix recommendations for each issue detected.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports
• https://www.hcltechsw.com/wps/portal/products/appscan/offerings/standard

28. Netsparker Web Vulnerability Scanner
• Netsparker Ltd
• Commercial (Free trial available)
• Automated Testing

Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It aims to be false positive–free by only reporting confirmed vulnerabilities after successfully exploiting or otherwise testing them. Netsparker is a web vulnerability management solution that focuses on scalability, automation, and integration. Based on a leading-edge web vulnerability scanner, the Netsparker platform uses proprietary Proof-Based Scanning™ technology to identify and confirm vulnerabilities, confidently indicating results that are definitely not false positives. Netsparker is highly effective both integrated within the SDLC and as a stand-alone solution.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating: Excellent
• https://www.netsparker.com/web-vulnerability-scanner/

29. HP WebInspect
• HP
• Commercial
• Manual Testing & Automated Testing

WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer. It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more. It was produced by Spidynamics, which is now part of HP.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports
• Rating: Good
• https://download.hpsmartupdate.com/webinspect/

30. Grendel-Scan
• Author: David Byrne
• Open Source
• Manual Testing & Automated Testing

Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. Grendel-Scan is a tool that aims to provide in-depth application assessment of web applications. Written entirely in Java and featuring an easy to use GUI, the tool is intended to be useful to a wide variety of technical backgrounds. Many features are also present for manual penetration testing.

• Written in Java
• License: The Apache License v2.0
• Rating: Great
• Used by – Students, Researcher and Penetration Testers
• https://sourceforge.net/projects/grendel/

31. WebReaver
• WebSecurity
• Manual Testing & Automated Testing

WebReaver is an elegant, easy to use and fully-automated, web application security testing tool for Mac, Windows and Linux, suitable for novice as well as advanced users.
WebReaver allows you easily test any web application for a large variety of web vulnerabilities from the sever kinds such as SQL Injection, Local and Remote File Includes, Command Injection, Cross-site Scripting and Expression Injection to the less severe ones such as variety of session and headers problems, information leakage and many more.

• Rating: Good
• Used by – Students, Researcher and Penetration Testers
• https://webreaver.com/

32. OWASP SamuraiWTF
• OWASP Project
• Manual Testing & Automated Testing

SamuraiWTF (Web Training and Testing Framework) is a virtual machine, supported on VirtualBox and VMWare that has been pre-configured to function as a web pen-testing and training environment. We have built the environment using Vagrant and Ansible to provide the easiest and most cross-platform mechanism to build and enhance the environment.

• Written in HTML and Ruby
• Built using Vagrant and Ansible
• License: GNU Public License version 3
• Used by – Students, Researcher and Penetration Testers
• https://github.com/OWASP/www-project-samuraiwtf
• https://owasp.org/www-project-samuraiwtf/

33. URLScan.io
• Author: Johannes Gilger
• Manual Testing & Automated Testing

URLScan.io is a website scanner written by Johannes Gilger, focusing on analyzing all possible details about any established HTTP connection, site content, relations with other sites and much more. Once you input your URL and hit the “Scan” button (public and privates scans are free!) it will launch a lot of automated tests against all the elements, services and connections during the page load.

• Written in Python
• Used by – Students, Researcher and Penetration Testers
• Rating: Excellent
• https://urlscan.io/

34. Acunetix Web Vulnerability Scanner
• Acunetix Ltd
• Commercial
• Automated Testing

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.”
Acunetix WVS is an automated web application security testing, founded to combat the rise in attacks at the web application layer. Acunetix WVS audits a website’s security by launching a series of attacks against the site. It then provides concise reports of any vulnerability it found and will even offer suggestions on how to fix them.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating: Excellent
• https://www.acunetix.com/vulnerability-scanner/

35. Qualys Web ApplicationScanning
• Qualys, Inc.
• Commercial (Free trial available)
• Automated Testing

Qualys Web Application Scanning (WAS) is a cloud-based service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. It proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating: Excellent
• https://www.qualys.com/apps/web-app-scanning/

36. PenTera™
• Pcysys Ltd.
• Commercial
• Automated Testing

Pcysys is automated pen-testing platform continuously conducts ethical exploits based on infrastructure vulnerabilities, to deliver prioritised threat-based weaknesses based on real pen-testing achievements. Pcysys delivers PenTera™, the automated penetration-testing platform that assesses and reduces corporate cybersecurity risk. The platform is run remotely on the Cloud or on-site to identify, analyze and focus remediation efforts on breachable vulnerabilities.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating: Great
• https://www.pcysys.com/

37. Imperva RASP
• Imperva, Inc.
• Commercial
• Automated Testing

Imperva RASP (Runtime Application Self Protection) detects and blocks attacks from inside the application. Using patented LangSectechniques which treat data as code, RASP has full context of potentially malicious payloads before the application completes its processes. RASP’s out of the box vulnerability protection provides instant mitigation against OWASP Top 10, known and zero-day attacks. Imperva RASP includes advanced enforcements and controls against content, database and command injections. RASP can even protect your legacy apps and 3rd-party apps.

• License: Proprietary
• Used by – Corporations looking for high level assessment reports and deep vulnerability assessments
• Rating: Excellent
• https://www.imperva.com/products/runtime-application-self-protection-rasp/