Best Website Vulnerability Scanner Tools
At this time I will discuss what are the tools used to find website weaknesses. This tool is used to find the weaknesses of a website and then if we already know what the weaknesses of our website are, we can fix them so that our website will reduce the possibility of the website being hacked by nosy people. Soo just see the article.
List of Website Vulnerability Scanner Tools :
Grabber
The grabber is a web application scanner that can detect many vulnerabilities in a web application. This tool can detect the following vulnerabilities:
- Cross site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
This tool does not have a GUI so those who are not familiar with the CLI may find it a little difficult and also unable to generate any PDF reports. This tool is designed simply and for personal use. If it is for professional use it may not be recommended.
Download here: http://rgaucher.info/beta/grabber/
Source code on Github: https://github.com/neuroo/grabber
Vega
Vega is another free open source web vulnerability scanner and testing platform. With this tool, you can perform web application security testing. This tool is written in Java and displayed with a GUI. This tool is available for OS X, Linux and Windows.
This tool can be used to find SQL injection vulnerabilities, header injection, directory listing, shell injection, cross site scripting, file inclusion and other web application vulnerabilities. This tool can also be developed using a powerful API written in the JavaScript language.
If you need assistance, you can find help in the documentation section:
Documentation: https://subgraph.com/vega/documentation/index.en.html
Download Vega: https://subgraph.com/vega/
Zed Attack Proxy
Zed Attack Proxy is also known as ZAP. This tool is open source and developed by AWASP. This tool is available for Windows, Unix / Linux and Macintosh platforms. This tool can be used to find various vulnerabilities in web applications. This tool is very simple and easy to use. Even those of us who are new to penetration testing can easily use this tool to start learning penetration testing for web applications.
The following are the main functions of the ZAP :
- Intercepting Proxy
- Automatic Scanner
- Traditional but powerful spiders
- Fuzzer
- Web Socket Support
- Plug-n-hack support
- Authentication support
- REST based API
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
You can use this tool as a scanner by entering a URL to perform scanning, or it can be used as a proxy to perform tests on certain pages.
Download the ZAP: http://code.google.com/p/zaproxy/
Wapiti
This Wapiti is also a top smart web vulnerability scanner, it allows you to perform a security audit of your web application. Perform black-box testing by scanning web pages and injecting data. Attempt to inject payloads and see if the script has a vulnerability. Support for GET and POST HTTP attacks and detection of several vulnerabilities.
This tool can detect the following vulnerabilities :
- File Disclosure
- File inclusion
- Cross Site Scripting (XSS)
- Command execution detection
- CRLF Injection
- SEL Injection and Xpath Injection
- Weak .htaccess configuration
- Backup files disclosure
- And much more
Wapiti is CLI based. So, it might be a little difficult for beginners. But for experts, it is not a significant problem, to learn the instructions can see the documentation section
Download Wapiti with source code: http://wapiti.sourceforge.net/
W3af
W3af is a web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. This tool was developed using Python. Using this tool, you will be able to identify over 200 types of web application vulnerabilities including SQL injection, Cross-Site Scripting and many more. This tool can be used with the GUI and CLI. You can use it easily because it uses a display that is easy to understand. If a website requires authentication, you can also use the authentication module to scan session-protected pages.
You can access the source on the Github repository: https://github.com/andresriancho/w3af/
To download from the official site: http://w3af.org/
WebScarab
WebScarab is a Java-based security framework for analyzing web applications using the HTTP or HTTPS protocol. With the available plugins, you can extend the tool's functionality. This tool works as an intercepting proxy. So, you can review the requests and responses that are given to your browser and head to thw server. You can also change the request or response before the packet is received by the server or browser. Unfortunately for beginners this tool will be difficult to understand because it requires understanding in the HTTP protocol section and must be able to code. WebScarab provides many features that help penetration testers work to find security vulnerabilities. It has spiders that can automatically find the target site's new URL, and can easily fetch scripts and HTML pages. The proxy monitors the traffic between the server and your browser, and you can take control of requests and responses using the plugins provided. The available modules can easily detect the most common vulnerabilities such as SQL Injection, XSS <CRLF and many other vulnerabilities.
Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab
Download WebScarab here: https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Skipfish
Skipfish is also a great web application security tool. The tool crawls the website and then checks each page for various security threats and finally prepares a final report. this tool is written in C language. It is highly optimized for HTTP handlers and takes up very little CPU. Claims that it can easily handle 2000 requests per second without increasing the load on the CPU. This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish on Google code: http://code.google.com/p/skipfish/
Ratproxy
Ratproxy is an open source web application security audit tool that can be used to find vulnerabilities in web applications. The tool can be used on Linux, FreeBSD, MacOS X and Windows
This tool is designed to solve user problems that are usually faced when using proxy tools for security audits. It is capable of differentiating between CSS stylesheets and JavaScript code. It also supports MITM SSL, which means you can view data over SSL too.
Download http://code.google.com/p/ratproxy/
SqlMap
SqlMap is a popular penetration tool among pentesters. This tool works automatically in the process of finding and exploiting a SQL injection vulnerability in the website database. It has a powerful detection engine and many other useful features. So, a penetration tester can easily check SQL injection on a website.
Supports various database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. This tool offers full support for 6 different SQL injection techniques including: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band.
Source code and download it on Github: https://github.com/sqlmapproject/sqlmap
Wfuzz
Wfuzz can be used for Brute Force GET and POST parameters for testing against various injection types such as SQL, XSS, LDAP, and many more. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxies and many other things. This tool is only based on CLI, there is no GUI display.
Download Wfuzz at code.google.com: http://code.google.com/p/wfuzz/
Latch-Scan
Grendel-Scan is a tool that automatically finds vulnerabilities in web applications. Many other features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh. This tool is developed with Java.
Download tools and source code: http://sourceforge.net/projects/grendel/
Watcher
Watcher is a passive web security scanner. It does not perform multiple requests or crawls of the target.wacther site is not a separate tool but an add-on from Fiddler. So you need to install Fiddler first and then install Watcher to use it.
This tool silently analyzes requests and responses from user interactions and then generates reports. Because it is a passive scanner, it won't affect your website hosting or cloud infrastructure.
Download the wacther and source code: http://websecuritytool.codeplex.com/
X5S
X5s is also a Fiddler add-on that aims to provide a way to find a cross-site scripting vulnerability. Tools aren't automatic, so you need to understand how encoding issues can lead to XSS. You need to manually find the injection point and then check which XSS can implement.
Download X5S and source code from codeplex: http://xss.codeplex.com/
You can also refer to the official guide to know how to use the X5S: http://xss.codeplex.com/wikipage?title=tutorial
Arachni
Arachni is an open source tool developed to provide a penetration testing environment. This tool can detect various web application vulnerabilities. Can detect various vulnerabilities such as SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many more.
The tool can be downloaded here: http://www.arachni-scanner.com/
Now that's a list of tools to find website vulnerabilities that you might want to use to find website weaknesses and again these tools are available open source so you are free to use and develop these tools.