In the past, many famous websites have been hacked by hackers and caused serious consequences, causing loss of reputation for businesses. The security check for the website is extremely important to avoid future losses. The security assessment for the website needs skilled experts with great cost, in addition, it is necessary to coordinate the use of Application Security Scanner tools to quickly find and provide timely patches to ensure the security of the websites. website.
| Join the channel Telegram of the AnonyViet 👉 Link 👈 |
Application Security Scanner is a software program that allows you to check for security Vulnerabilities on websites.
Application Security Scanner with commercial versions is quite effective like Acunetix web, besides there are many open source webscan programs that bring high efficiency to help experts or programmers quickly and save time. Find security errors on the website system.
You should not confuse open source programs with free programs, they are completely different. Open source is having a repository of source code for that application so that users can customize it in many different ways, sometimes it is developed into an application that sells for money, sometimes it is shared for free, but all must publish the code. source and free applications are of course free, but its source code is unknown.
first. Grabber:
As a WEB APPLICATION vulnerability scanner the vulnerabilities it can detect:
Cross site scripting
SQL injectionAjax testing
File inclusion
JS source code analyzer
Backup file check
This tool is considered to run quite quickly with small websites and takes a long time with large websites.
This tool is developed in python language and provides no user interface. You can customize or study its source code.
Download it here: http://rgaucher.info/beta/grabber/
Source code on Github: https://github.com/neuroo/grabber
2. Vega:
This is a development tool based on java programming language that can run on OSX, Window, Linux platforms.
The Vega tool can look for SQL injection, header injection, directory listing, shell injection, cross site scripting, file inclusion, and several other web application vulnerabilities.
You can set the number of dark scan threads per second when starting to check a website.
Documentation: https://subgraph.com/vega/documentation/index.en.html
Download Vega: https://subgraph.com/vega/
3. Zed Attack Proxy:
This is a tool developed by AWASP that runs on Windows, OSX, Unix, Linux platforms. This is a simple and easy to use tool.
Its features are listed below:
Intercepting Proxy
Automatic Scanner
Traditional but powerful spiders
Fuzzer
Web Socket Support
Plug-n-hack support
Authentication support
REST based API
Dynamic SSL certificates
Smartcard and Client Digital Certificates support
Download ZAP : http://code.google.com/p/zaproxy/
4. Wapiti :
This is also a good website security testing tool. Its web security testing method is to scan links and insert test data on objects (texbox…), it supports GET and HTTP POST. Vulnerabilities that can be detected with this tool:
File Disclosure
File inclusion
Cross Site Scripting (XSS)
Command execution detection
CRLF Injection
SEL Injection and Xpath Injection
Weak .htaccess configuration
Backup files disclosure
This is a tool that uses the command line to manipulate, so it is difficult for experts to use for beginners.
Download Wapiti with source code: http://wapiti.sourceforge.net/
5. W3af :
This web security testing tool is developed in python language. Using this tool you can check more than 200 web application vulnerabilities including dangerous vulnerabilities such as: SQL injection, Cross-Site Scripting.
The special thing is that this tool is accompanied by a graphical interface with options that allow users to easily use it.
More details about this tool:
https://github.com/andresriancho/w3af/
Download it from the official website: http://w3af.org/
6. WebScarab :
This is not a beginner tool as it is designed for people who have a good understanding of HTTP and know how to code.
In addition to features like other website security testing tools, the tool has a spider-like function that automatically finds the target’s links and generates scripts to check for vulnerabilities on those links.
Vulnerabilities can be detected by the tool: SQL injection, XSS< CRLF and many more.
Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab
Download WebScarab here: https://www.owasp.org/index.php/Cate…Scarab_Project
7. Skipfish :
This is a tool written in C programming language. It is optimized to run 2000 requests per second without too much CPU of the computer, so the speed is quite fast.
This tool is run on platforms: OSX, Linux, Window.
Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/
8. Ratproxy:
Ratproxy is also an open source web application security testing tool. It supports Linux, FreeBSD, MacOS X, and (Cygwin) Windows environments.
This tool is designed to overcome problems users often face when using other proxy tools for security checks. It has the ability to distinguish between css and JavaScript code. It also supports the SSL protocol during security checks, which means you can also view the data when the website runs SSL.
You can read more about this tool here: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Download http://code.google.com/p/ratproxy/
9. SQLMap :
This is probably the most commonly used tool and many of you know about it.
QALMap is written in Python programming language and runs by command line on all 3 platforms OSX, Linux, Window.
You can learn more about this tool at:
https://github.com/sqlmapproject/sqlmap
Download SQLMap here: https://github.com/sqlmapproject/sqlmap
ten. Wfuzz:
Wfuzz is a free and open source tool for web application security testing. It can be used to execute GET and POST queries to detect security vulnerabilities such as SQL, XSS, LDAP and many more. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy…vvv
This is a tool that does not support the interface, so you must use the command line to use it.
Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/
11. Grendel-Scan:
This is a tool developed in Java language that runs on OSX, Linux and Window platforms. It helps professionals quickly find web application vulnerabilities.
Download the tool and source code: http://sourceforge.net/projects/grendel/
twelfth. Watcher:
Different from other tools this is a passive program in the form of an add-on. To use it you need to install Fiddler first and then install the Watcher add-on.
As a passive scanner, it does not affect the website or its infrastructure.
Download watcher and its source code: http://websecuritytool.codeplex.com/
13. X5S:
This is a Fiddler add-on to use it you must also install Fiddler first.
Download X5S and source code from codeplex: http://xss.codeplex.com/
14. Arachni:
Arachni is an open source tool developed to provide a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect and many more.
Download this tool here: http://www.arachni-scanner.com/
Through this article, you can know some more tools to help find website security vulnerabilities. The article I only briefly introduced about the above tools, I hope you will have detailed articles introducing that layer of tools for everyone to learn.
Source: resources dot infosecinstitute dot com
Website Vulnerability Scan Tool
Website error scanning tool
