Web Application Tools | VK9 Security

List of known tools that can help with your Web Application testing.

Proxy

Burp Suite – Integrated platform for performing security testing of web applications.

Extensions

Freddy the Serial(isation) Killer – detecting and exploiting serialisation libraries/APIs.
Tplmap – Burp Suite Extension.

Web scarab – Proxy interception

OWASP Zed Attack Proxy (ZAP) – Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.

Spidering

dirbooster – Directory brute force

gobuster – Directory brute force

dirb – Directory brute force

wfuzz – it replaces any reference to the FUZZ keyword by the value of a given payload.

dirsearch – simple command line tool designed to brute force directories and files in websites.

Dirble – a website directory scanning tool for Windows and Linux.

Parameth – This tool can be used to brute discover GET and POST parameters

Scanner

nikto – web server scanner

wikto – Wikto is Nikto for Windows

W3af – Web Application Attack and Audit Framework

Racoon – Offensive Security Tool for Reconnaissance and Information Gathering

WAScan – Web Application Scanner – designed to find various vulnerabilities using “black-box” method

Breacher – A script to find admin login pages and EAR vulnerabilites.

Snallygaster – scan for secret files on HTTP servers

IIS Short Name Scanner – disclosure vulnerability by using the tilde (~) character

oxml_xxe – This tool is meant to help test XXE vulnerabilities

ACSTIS – helps you to scan certain web applications for AngularJS Client-Side Template Injection

CMS

WPScan – black box WordPress vulnerability scanner

WordPress Exploit Framework – testing of WordPress systems

WPForce – WPForce is a suite of WordPress Attack tools.

WordPress Exploit Framework – Designed to aid in the penetration testing of WordPress systems.

cms-Explorer – designed to reveal the the specific modules, plugins, components and themes that various CMS

CMSmap – automates the process of detecting security flaws of the most popular CMS

CMSeeK – Basic CMS Detection of over 170 CMS

droopescan – A plugin-based scanner that aids security researchers in identifying issues with several CMS Drupal.

Typo3-Enumerator – automates the process of detecting the Typo3 CMS

Joomscan – OWASP Joomla! Vulnerability Scanner (JoomScan)

XSS

XSStrike – Advanced XSS Detection Suite

SQL injection

Sqlmap – automates the process of detecting and exploiting SQL injection flaws

SQLmate – Like finding admin panel of the target

Exploitation

LFI Freak – exploiting local file inclusions using PHP Input

Tplmap – assists the exploitation of Code Injection

XCat – exploit and investigate blind XPath injection vulnerabilities.

Ysoserial – generating payloads that exploit unsafe Java object deserialization

Fuxploider – detecting and exploiting file upload forms flaws

Framework

Offensive Web Testing Framework – tests to security standards like the OWASP Testing Guide

Network protection

WhatWaf – advanced firewall detection tool