14 best open-source web application vulnerability scanners [updated for 2020]
In the past, many popular websites have been hacked. Hackers are active and always trying to hack websites and leak data. This is why security testing of web applications is very important. And this is where web application security scanners come into play.
A web application security scanner is a software program which performs automatic black-box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code; they only perform functional testing and try to find security vulnerabilities. Various paid and free web application vulnerability scanners are available.
In this post, we are listing the best free open-source web application vulnerability scanners. I’m adding the tools in random order, so please do not think it is a ranking of tools.
I am only adding open-source tools which can be used to find security vulnerabilities in web applications. I am not adding tools to find server vulnerabilities. And do not confuse free tools and open-source tools! There are various other tools available for free, but they do not provide source code to other developers. Open-source tools are those which offer source codes to developers so that developers can modify the tool or help in further development.
These are the best open-source web application penetration testing tools.
Grabber is a web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
- Cross-site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications.
This tool does not offer any GUI interface. It also cannot create any PDF reports. This tool was designed to be simple and for personal use. If you are thinking of it for professional use, I will not recommend it.
This tool was developed in Python and an executable version is also available if you want. Source code is available, so you can modify it according to your needs. The main script is grabber.py, which once executed calls other modules like sql.py, xss.py or others.
Download it here.
Source code on GitHub.
Vega is another free open-source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI-based environment. It is available for OS X, Linux and Windows.
While working with the tool, it lets you set a few preferences such as the total number of path descendants, number of child paths of a node and the depth and maximum number of requests per second. You can use Vega Scanner, Vega Proxy and Proxy Scanner, and also scan with credentials. If you need help, you can find resources in the documentation section:
Documentation is here.
Download Vega here.
3. Zed Attack Proxy
Zed Attack Proxy is also known as ZAP. This tool is open-source and is developed by OWASP. It is available for Windows, Unix/Linux and Macintosh platforms.
I personally like this tool. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications.
These are the key functionalities of ZAP:
- Intercepting proxy
- Automatic scanner
- Traditional but powerful spiders
- Web socket support
- Plug-n-hack support
- Authentication support
- REST-based API
- Dynamic SSL certificates
- Smartcard and client digital certificates support
You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.
Download ZAP here.
Wapiti is a web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect the following vulnerabilities:
- File disclosure
- File inclusion
- Cross-site scripting (XSS)
- Command execution detection
- CRLF injection
- SEL injection and XPath injection
- Weak .htaccess configuration
- Backup file disclosure
- Many others
Wapiti is a command-line application, so it may not be easy for beginners. But for experts, it will perform well. To use this tool you need to learn lots of commands, which can be found in official documentation.
Download Wapiti with source code here.
W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It was developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, cross-site scripting and many others.
It comes with a graphical and console interface. You can use it easily, thanks to its simple interface.
If you are using it with a graphical interface, I do not think that you are going to face any problems with the tool. You only need to select the options and then start the scanner. If a website needs authentication, you can also use authentication modules to scan the session-protected pages.
We have already covered this tool in detail in our previous W3af walkthrough series. You can read those articles to know more about this tool.
You can access source code at the GitHub repository here.
Download it from the official website here.
WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool.
This tool works as an intercepting proxy; you can review the requests and responses coming to your browser and going to the server. You can also modify the request or response before they are received by the server or browser.
If you are a beginner, this tool is not for you. This tool was designed for those who have a good understanding of HTTP protocol and can write codes.
WebScarab provides many features which help penetration testers work closely on a web application and find security vulnerabilities. It has a spider which can automatically find new URLs of the target website. It can easily extract scripts and the HTML of the page. The proxy observes the traffic between the server and your browser, and you can take control of the request and response by using available plugins. Available modules can easily detect most common vulnerabilities like SQL injection, XSS, CRLF and many other vulnerabilities.
The source code of the tool is available on GitHub here.
Download WebScarab here.
Skipfish is another nice web application security tool. It crawls the website and then checks each page for various security threats. At the end, it prepares the final report.
This tool was written in C. It is highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle 2,000 requests per second without adding a load on the CPU. It uses a heuristics approach while crawling and testing web pages, and claims to offer high quality and fewer false positives.
This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish or code from Google Codes here.
Ratproxy is an open-source web application security audit tool which can be used to find security vulnerabilities in web applications. It supports Linux, FreeBSD, MacOS X and Windows (Cygwin) environments.
You can read more about this tool here.
Download it here.
SQLMap is another popular open-source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerabilities in a website’s database. It has a powerful detection engine and many useful features. This way, a penetration tester can easily perform an SQL injection check on a website.
It supports a range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support for six kinds of SQL injection techniques: time-based blind, Boolean-based blind, error-based, UNION query, stacked queries and out-of-band.
Access the source code on GitHub here.
Download SQLMap here.
Wfuzz is another freely available open-source tool for web application penetration testing. It can be used to brute-force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, proxy, authentication, parameter brute-forcing, multiple proxy and many other things.
This tool does not offer a GUI interface, so you will have to work on the command-line interface.
You can read more about the features of the tool here.
Download Wfuzz from code.google.com here.
Grendel-Scan is another nice open-source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh and was developed in Java.
Download the tool and source code here.
Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but an add-on of Fiddler, so you need to install Fiddler first and then install Watcher to use it.
It quietly analyzes the requests and responses from the user interaction and then makes a report on the application. As it is a passive scanner, it will not affect the website’s hosting or cloud infrastructure.
Download Watcher and its source code here.
X5S is also a Fiddler add-on intended to provide a way to find cross-site scripting vulnerabilities. This is not an automatic tool, so you need to understand how encoding issues can lead to XSS before using it. You need to manually find the injection point and then check where XSS might be in the application.
We have covered X5S in a previous post. You can refer to that article to read more about X5S and XSS.
Download X5S and source code from Codeplex here.
You can also refer to this official guide to know how to use X5S.
Arachni is an open-source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL injection, XSS, local file inclusion, remote file inclusion, unvalidated redirect and many others.
Download this tool here.
These are the best open-source web application security testing tools. I tried my best to list all the tools available online. If a tool was not updated for many years, I did not mention it here; this is because if a tool is more than 10 years old, it can create compatibility issues in the recent environment.
If you are a developer, you can also join the developers’ community of these tools and help them grow. By helping these tools, you will also increase your knowledge and expertise.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are Backtrack, Gnacktrack, Backbox and BlackBuntu. All these tools come with various free and open-source tools for website penetration testing.
If you think I forgot to mention an important tool, you can drop a comment and I will try to add it.