List of known tools that can help with your Web Application testing.


Burp Suite - Integrated platform for performing security testing of web applications.


Web scarab - Proxy interception

OWASP Zed Attack Proxy (ZAP) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.


dirbooster - Directory brute force

gobuster - Directory brute force

dirb - Directory brute force

wfuzz - it replaces any reference to the FUZZ keyword by the value of a given payload.

dirsearch - simple command line tool designed to brute force directories and files in websites.

Dirble - a website directory scanning tool for Windows and Linux.

Parameth - This tool can be used to brute discover GET and POST parameters


nikto - web server scanner

wikto - Wikto is Nikto for Windows

W3af - Web Application Attack and Audit Framework

Racoon - Offensive Security Tool for Reconnaissance and Information Gathering

WAScan - Web Application Scanner - designed to find various vulnerabilities using "black-box" method

Breacher - A script to find admin login pages and EAR vulnerabilites.

Snallygaster - scan for secret files on HTTP servers

IIS Short Name Scanner - disclosure vulnerability by using the tilde (~) character

oxml_xxe - This tool is meant to help test XXE vulnerabilities

ACSTIS - helps you to scan certain web applications for AngularJS Client-Side Template Injection


WPScan - black box WordPress vulnerability scanner

WordPress Exploit Framework - testing of WordPress systems

WPForce - WPForce is a suite of WordPress Attack tools.

WordPress Exploit Framework - Designed to aid in the penetration testing of WordPress systems.

cms-Explorer - designed to reveal the the specific modules, plugins, components and themes that various CMS

CMSmap - automates the process of detecting security flaws of the most popular CMS

CMSeeK - Basic CMS Detection of over 170 CMS

droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMS Drupal.

Typo3-Enumerator - automates the process of detecting the Typo3 CMS

Joomscan - OWASP Joomla! Vulnerability Scanner (JoomScan)


XSStrike - Advanced XSS Detection Suite

SQL injection

Sqlmap - automates the process of detecting and exploiting SQL injection flaws

SQLmate - Like finding admin panel of the target


LFI Freak - exploiting local file inclusions using PHP Input

Tplmap - assists the exploitation of Code Injection

XCat - exploit and investigate blind XPath injection vulnerabilities.

Ysoserial - generating payloads that exploit unsafe Java object deserialization

Fuxploider - detecting and exploiting file upload forms flaws


Offensive Web Testing Framework - tests to security standards like the OWASP Testing Guide

Network protection

WhatWaf - advanced firewall detection tool