Web Server Vulnerability Scanners

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

SUCURI

SUCURI is one of the most popular free website malware and security scanner. You can do a quick test for malware, blacklisting status, injected SPAM, and defacements.

SUCURI also helps to clean and protect your website from online threats and works on any website platforms, including WordPress, Joomla, Magento, Drupal, phpBB, etc.

Netsparker

Web application security testing tools in complex environments should work together seamlessly with existing systems. You can integrate Netsparker with market-leading CI/CD solutions and issue trackers to use the web application security scanner in your DevSecOps/SecDevOps environment and follow the best practice shift-left paradigm (test early and test often). Such an approach will let you eliminate security vulnerabilities as early as possible, helping you save a lot of resources. You can also easily use Netsparker together in the SDLC with other security tools, for example, source code analyzers.

Vega

Vega is another free open source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI based environment. It is available for OS X, Linux and Windows.

It can be used to find SQL injection, header injection, directory listing, shell injection, cross site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.

While working with the tool, it lets you set a few preferences like total number of path descendants, number of child paths of a node, depth and maximum number of request per second. You can use Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you can find resources in the documentation section:

Documentation: https://subgraph.com/vega/documentation/index.en.html

Wapiti

Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.

It can detect following vulnerabilities:

• File Disclosure
• File inclusion
• Cross Site Scripting (XSS)
• Command execution detection
• CRLF Injection
• SEL Injection and Xpath Injection
• Weak .htaccess configuration
• Backup files disclosure
• and many other

Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation.

Download Wapiti with source code: http://wapiti.sourceforge.net/

Wfuzz

Wfuzz is another freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy and many other things. You can read more about the features of the tool here: http://code.google.com/p/wfuzz/

This tool does not offer a GUI interface, so you will have to work on command line interface.

Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/

Detectify

Fully supported by ethical hackers, the Detectify domain and web application security service offers automated security and asset monitoring, being able to detect more than 1500 vulnerabilities.

Its vulnerability scanning capacity includes OWASP Top 10, CORS, Amazon S3 Bucket, and DNS misconfigurations. The Asset Monitoring service continuously monitors subdomains, searching for hostile takeovers and alerting if anomalies are detected.

Detectify offers three pricing plans: Starter, Professional, and Enterprise. All of them start with a 14-day free trial, which you can take without using a credit card.

Pentest-Tools

The website vulnerability scanner is one of a comprehensive set of tools offered by Pentest-Tools that comprise a solution for information gathering, web application testing, CMS testing, infrastructure testing, and SSL testing. In particular, the website scanner is designed to discover common web application vulnerabilities and server configuration issues.

The company offers a Light version of the tool, which performs a passive web security scan. It is capable of detecting many vulnerabilities, including insecure cookie settings, insecure HTTP headers, and outdated server software. You can perform up to 2 free, full scans of your website to get a comprehensive assessment. The results will tell you about vulnerabilities such as local file inclusion, SQL injection, OS command injection, XSS, between others.

WebScarab

WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works as an intercepting proxy. So, you can review the request and response coming to your browser and going to thw server. You can also modify the request or response before they are received by server or browser.

If you are a beginner, this tool is not for you. This tool was designed for those who have a good understanding of HTTP protocol and can write codes.

Webscarab provides many features which helps penetration testers work closely on a web application and find security vulnerabilities. It has a spider which can automatically find new URLs of the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic between server and your browser, and you can take control of the request and response by using available plugins. Available modules can easily detect most common vulnerabilities like SQL injection, XSS< CRLF and many other vulnerabilities.

Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab

Download WebScarab here: https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project