List of known tools that can help with your Web Application testing.
Proxy
Burp Suite - Integrated platform for performing security testing of web applications.
Extensions
- Freddy the Serial(isation) Killer - detecting and exploiting serialisation libraries/APIs.
- Tplmap - Burp Suite Extension.
Web scarab - Proxy interception
OWASP Zed Attack Proxy (ZAP) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
Spidering
dirbooster - Directory brute force
gobuster - Directory brute force
dirb - Directory brute force
wfuzz - it replaces any reference to the FUZZ keyword by the value of a given payload.
dirsearch - simple command line tool designed to brute force directories and files in websites.
Dirble - a website directory scanning tool for Windows and Linux.
Parameth - This tool can be used to brute discover GET and POST parameters
Scanner
nikto - web server scanner
wikto - Wikto is Nikto for Windows
W3af - Web Application Attack and Audit Framework
Racoon - Offensive Security Tool for Reconnaissance and Information Gathering
WAScan - Web Application Scanner - designed to find various vulnerabilities using "black-box" method
Breacher - A script to find admin login pages and EAR vulnerabilites.
Snallygaster - scan for secret files on HTTP servers
IIS Short Name Scanner - disclosure vulnerability by using the tilde (~) character
oxml_xxe - This tool is meant to help test XXE vulnerabilities
ACSTIS - helps you to scan certain web applications for AngularJS Client-Side Template Injection
CMS
WPScan - black box WordPress vulnerability scanner
WordPress Exploit Framework - testing of WordPress systems
WPForce - WPForce is a suite of WordPress Attack tools.
WordPress Exploit Framework - Designed to aid in the penetration testing of WordPress systems.
cms-Explorer - designed to reveal the the specific modules, plugins, components and themes that various CMS
CMSmap - automates the process of detecting security flaws of the most popular CMS
CMSeeK - Basic CMS Detection of over 170 CMS
droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMS Drupal.
Typo3-Enumerator - automates the process of detecting the Typo3 CMS
Joomscan - OWASP Joomla! Vulnerability Scanner (JoomScan)
XSS
XSStrike - Advanced XSS Detection Suite
SQL injection
Sqlmap - automates the process of detecting and exploiting SQL injection flaws
SQLmate - Like finding admin panel of the target
Exploitation
LFI Freak - exploiting local file inclusions using PHP Input
Tplmap - assists the exploitation of Code Injection
XCat - exploit and investigate blind XPath injection vulnerabilities.
Ysoserial - generating payloads that exploit unsafe Java object deserialization
Fuxploider - detecting and exploiting file upload forms flaws
Framework
Offensive Web Testing Framework - tests to security standards like the OWASP Testing Guide
Network protection
WhatWaf - advanced firewall detection tool