Free Web Application Security Test ToolsApplication Security

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Application Security Free Web Application Security Test Tools

This topic contains 27 replies, has 17 voices, and was last updated by  cybermo 2 years, 2 months ago.

Viewing 20 posts - 1 through 20 (of 28 total)
  • Author
  • #73931


    This is just one of the many lists of tools I use – this list is specific to free opensource web application security test tools. More to come

    Open Source and Free Web Application Testing Tools

    BeEF (Browser Exploitation Framework) – It detects application weakness using browser vulnerabilities. It uses client-side attack vectors to verify security of an application. It can issue browser commands like redirection, changing URLs, generating dialogue boxes etc.

    BURP Suite – Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

    Google Nogotofail – It is a network traffic security testing tool. It checks application for known TLS/SSL vulnerabilities and misconfigurations. It scans SSL/TLS encrypted connections and checks whether they are vulnerable to man-in-the-middle (MiTM) attacks. It can be set up as a router, VPN server or proxy server.

    Grendel-Scan – Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests

    Iron Wasp – It is a GUI based powerful scanning tool which can check over 25 kinds of web vulnerabilities. It can detect false positives and false negatives. It is built on Python and Ruby and generates HTML and RTF reports.

    LAPSE+ – Lapse+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher.

    Mantra Security Framework – Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese – Simplified, Chinese – Traditional, English, French, Portuguese, Russian, Spanish and Turkish

    Acunetix Security Scanner – Acunetix has two Scanners. Web Vulnerability Scannerand Network Security Scanner You can either download for a 14 day trial or run a Free Network Security Scan from the Cloud

    Pantera Web Assessment Studio Project – Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.

    Sprajax – Sprajax is an open source black box scanner for AJAX-enabled application

    SWF Intruder – SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.

    SWF Scan – No longer available on opensource – acquired by HP – no updates on status – you can find old versions if you search.

    Vega – It is a vulnerability scanning and testing tool written in Java. It works with OS X, Linux and Windows platforms. It is GUI enabled and includes an automated scanner and an intercepting proxy. It can detect web application vulnerabilities like SQL injection, header injection, cross site scripting etc. It can be extended through a javascript API.

    WAP Web Application Protection – WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source code.

    WebScarab NG – WebScarab is a framework for analizing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins. There is a new Next Generation version with an easier UI and session information is now written in a database instead of individual files.

    Web Server Security Test – Test your web server configuration, web application cookies, and HTTP headers for security and compliance with best-practices, such as OWASP:

    WebTesting Environment – OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.

    WebStretch – Enables a user to view & alter all aspects of communications with a web site via a proxy. Primarily used for security based penetration testing of web sites, it can also be used for debugging during development. Seen as part of a hacker toolkit

    Watobo – WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. Perform vulnerability checks out of the box

    ZED Attack Proxy (ZAP) – It was developed by AWASP and is available for Windows, Unix/Linux and Macintosh platforms. It has high ease of use. It can be used as a scanner or to intercept a proxy to manually test a webpage. Its key features are traditional and AJAX spiders, Fuzzer, Web socket support and a REST based API the box and has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.



    Nice post, you forgot to mention:
    1) Arachni


    2) Curl
    3) Python
    Beginners might leverage cybrary course ond literature like Python Web Penetration Testing Cookbook.

    I like those for easy and friendly CLI interfaces and for freedom these give me to adjust my tests to my findings in cyber threat arena.



    Thank you I will add it to my list. Please connect with me on LinkedIn as well



    I forgot a few Netsparker Free Edition
    N-Stalker Free Edition



    That’s great info I had never heard of most of them ! Learn something new everyday !






    try Kaly!




    Very useful.






    Also try The Samurai Web Testing Framework ( It’s a distro dedicated to webapp security.





    MD Khurshid Alam

    If you are a professional working for an organization,as pentester, Now if want to use one of web application security tool among your given list, and want to put it in his report what you thing what will happen, going to be
    accepted or fully rejected?????






    thanks for the quick list jadenturner, it will really help in the future.



    Thanks for the list – as that is indeed very comprehensive.



    ParrotOS Security distro



    Thanks for this ..



    Hi Jade,

    Interesting post, thanks for sharing ! Gonna try some of them i never heard before !


    Vladimir Stefanovic

    Thanks for sharing, very useful.

Viewing 20 posts - 1 through 20 (of 28 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?