Most Popular
Netsparker 1.3.0.0 in the wild
Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.
(Update) Skipfish Active web application scanner v1.08 beta just released
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks.
Focus on MacNikto v1.1.1
MacNikto is an AppleScript GUI shell script wrapper built in Apple’s Xcode and Interface Builder, released under the terms of the GPL. It provides easy access to a subset of the features available in the Open Source, command-line driven Nikto web security scanner, installed along with the MacNikto application.
W3AF ported to FreeBSD
w3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much
XSSploit XSS scanner multiplatfom v0.5 available
XSSploit is a multi-platform Cross-Site Scripting scanner and exploiter written in Python. It has been developed to help discovery and exploitation of XSS vulnerabilities in penetration testing missions.
WhatWeb v0.4 - released
Identifying content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. Licensed under GPLv3.
fimap v0.8a released
fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s is currently under heavy development but it’s usable.
Vordel SOAPbox for analyzing Webservices Security
SOAPbox is a Web services testing tool, which supports both SOAP-based and REST-based invocation modes. It shares some of its architecture with the Vordel XML Gateway, especially for security features or policy creation.
FireCAT v1.6 updated with 4 Firebug add-ons
FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment. FireCAT is not a remplacement of other security utilities and softwares as well as fuzzers, proxies and application vulnerabilities scanners.
Eclipse HTTP Client (HTTP4e) v3.0 available
Eclipse HTTP Client (HTTP4e) is an Eclipse plugin formaking HTTP and RESTful calls. Build with user experience in mind, it simplifies the developer/QA job of testing Web Services, REST, JSON and HTTP. It is a useful tool for your daily job of HTTP header tampering and hacking.
DirBuster v1.0 RC 1 - released
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
Samurai Web Testing Framework 0.8 available
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
Websecurify v0.5 Final
Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The framework is written in JavaScript and successfully executes in numerous platforms including modern browsers with support for HTML5, xulrunner, xpcshell, Java, V8 and others.
Acunetix WVS v6.5 build 20100303 released
Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.
Websecurify v0.5 RC 1 released
Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The framework is written in JavaScript and successfully executes in numerous platforms including modern browsers with support for HTML5, xulrunner, xpcshell, Java, V8 and others.
Web Security Dojo v1.0 released
Web Security Dojo is a turnkey web application security lab with tools,
targets, and training materials built into a Virtual Machine(VM).
It is ideal for both self-instruction and training classes since
everything is pre-configured and no external network connection is
needed. All tools and targets are configured to use non-conflicting
ports and a Firefox proxy switcher is set up to match.
Watcher Web Security Scanning tool v1.3.0 available
Watcher (The Open source Web Security Testing Tool and PCI compliancy auditing utility) is a runtime passive-analysis tool for HTTP-based Web applications. It detects Web-application security issues as well as operational configuration issues.
Websecurify v0.5 Beta 1 released
Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The framework is written in JavaScript and successfully executes in numerous platforms including modern browsers with support for HTML5, xulrunner, xpcshell, Java, V8 and others.
SSL/TLS Audit version Alpha
SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites over all SSL and TLS versions.