What Is This Resource?
Web Applications are hugely attractive to hackers and for a million different reasons not least because when they are mismanaged and unpatched then they suddenly become very easy to attack. What we’ve done in this resource is to list a bunch of Web Application Hacking Software that would be able to penetrate and pwn a Website (for example).
In order of priority we note that these are the most popular Content Management Systems being used today.
So, clearly, with WordPress being the Internet’s #1 most popular CMS there is little doubt nor lack of evidence which shows just how many hackers go after WordPress. WordPress hacking software is therefore plentiful and in this resource we try to outline a bunch of tools and software that will help identify how secure your CMS really is.
To submit a tool please click here or for further information on the range of hacking tools and software that we list please follow this link.
It's all well and good knowing the tools, but what about using Web Vulnerability Scanners on laptops, raspbery pi's and mobiles!
Click here for more information.
Last Updated: September 23rd, 2017
What is Acunetix WVS?
Acunetix is a web vulnerability scanner that automatically checks web applications for vulnerabilities such as cross site scripting, SQL injections, weak password strength on authentication pages and arbitrary file creation. It has a great GUI that has the ability to create compliance reports, security audits and tools for advance manual web app testing.
Is Acunetix WVS Free?
It is a commercial program but its fast and cheap.
Does Acunetix WVS Work on all Operating Systems?
It currently works on Windows operating systems.
What are the Typical Uses for Acunetix WVS?
Acunetix WVS is used to discover if your website is secure by crawling and analyzing your web applications to find if there are SQL injections. By doing this, its detailed report can identify where web applications need to be fix.
What is AppScan?
AppScan gives security testing throughout the application development lifecycle, security assurance early in the development phase and easing unit testing. This tool can scan for many common vulnerabilities such as HTTP response splitting, cross site scripting, hidden field manipulation, parameter tampering, buffer overflows, backdoors/debug options and many more.
Is AppScan Free?
Commercial version of this tool is available. Free trial versions might also be offered.
Does AppScan Work on all Operating Systems?
It works on Microsoft Windows operating systems.
What are the Typical Uses for AppScan?
AppScan is used to enhanced mobile application and web application security. It is also used strengthen regulatory compliance and improve application security program management. This tool will also helps users in identifying security vulnerabilities, generate reports and fix recommendations.
What is Burp Suite?
Burp SUite is a platform that contains different kinds of tool with many interfaces between them that is designed to facilitate and speed up the process of attacking applications. All these tools share the same framework for displayong and handling HTTP messages, authentication, persistence, logging, alerting, proxies and extensibility.
Is Burp Suite Free?
A paid version is available. Free/trial versions may also be available.
Does Burp Suite Work on all Operating Systems?
Burp Suite Works on Linux, MAC OS X and Windows operating systems.
What are the Typical Uses for Burp Suite?
This tool is used primarily to attack pentest web applications. It can also be use to read web traffics. Not only this app is useful and reliable. It also offers a lot of features.
What is DirBuster?
Dirbuster main purpose is to search for hidden directories and pages on web server. Developers sometimes will leave a web page accessible but unlinked; this tool is created to discover these potential vulnerabilities. This is another Java application developed OWASP.
Is DirBuster Free?
Yes. All versions of this tool are free of charge.
Does DirBuster Work on all Operating Systems?
It works on Linux, MAC OS X and Windows operating systems.
What are the Typical Uses for DirBuster?
This project is no longer supported but DirBuster was used to brute force file names and directories on web and application servers.
What is Firebug?
Firebug is a free and open-source web browser extension that currently works on Firefox and Chrome. Although not stictly speaking a ‘hackers tool’, Firebug helps the penetration tester understand how certain technologies and systems works and therefore he or she is able to find holes that might be able to be exploited.
Is Firebug Free?
Yes, Firebug is free.
Does Firebug Work on all Operating Systems?
Works on Linux, Microsoft Windows and MAC OS X.
What are the Typical Uses for Firebug?
What is Grendel Scan?
We are not entirely sure if this project is still supported but what we do know is that the version that is still available for download allows for automated security scanning of web apps. Many of the features with Grendel-Scan are also present for manual pentesting.
Is Grendel Scan Free?
Grendel Scan is free of charge.
Does Grendel Scan Work on all Operating Systems?
It works on Linux, MAC OS X and Windows operating systems.
What are the Typical Uses for Grendel Scan?
This open source hacking tool is primarily used to test web applications by detecting common web application vulnerabilities.
What is HP Webinspect?
WebInspect is another web application security assessment tool that aids in identifying known and unknown vulnerabilities within the Web application layer. This tool can also help in checking if a Web server is configured properly. This tool was produced by Spidynamics which is now part of Hewlett-Packard (HP).
Is HP Webinspect Free?
No, this is a commercial tool but free trial or versions may also be offered.
Does HP Webinspect Work on all Operating Systems?
It works on Windows operating systems.
What are the Typical Uses for HP Webinspect?
This tool is used to identify vulnerabilities within web applications. Users can also use this tool attack web applications by using parameter injection, directory traversal, cross-site scripting and a lot more.
What is Netsparker?
Netsparker labels itself within a hacking tool category of ‘Web Application Security Scanner’ which is designed to discover and audit web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) possibilities. Netsparker works on hundreds of web applications and websites regardless of the Operating System and/ or technology.
Netsparker is used by professionals within the cybersecurity space and is considered by many as being easy to use. An interesting fact about Netsparker is that the developers claim that they have designed a ‘unique detection and safe exploitation technique’ that results in creating accurate reporting. The developers are very confident in that they label their software as being the ‘first and only False Positive Free web vulnerability scanner’.
Is Netsparker Free?
No, Netsparker is a paid tool.
Does Netsparker Work on all Operating Systems?
Netsparker is a Windows-only tool.
What are the Typical Uses for Netsparker?
Uses of this tool includes: Advanced Scanning. Proof-Based Scanning. Web Services Scanning that are frequently used by companies since communication between network, application and web based devices are improved. Its also used to report vulnerabilities with a high degree of accuracy and specificity and with this tool, you can actively exploit vulnerabilities.
What is Nikto Website Vulnerability Scanner?
An open source web server scanner, Nikto performs tests for over 6700 potentially dangerous files and program on web servers. It is also designed to check for over 1250 outdated server versions and specific version problems on over 2700 servers. Aside from that, it also checks server configuration items like the presence of multiple index files, HTTP server options and it will try to identify installed software and web servers. Plugins and scan items are frequently and can be automatically updated.
Although it is not designed to be a stealthy tool, it can test web servers in the fastest time possible. Nonethelessm there is also a support for LibWhisker’s anti-IDS methods in case you want to try it by testing your IDS system for example.
Not all checks are security problems but security engineers and webmasters sometimes are not aware the “info only” type of checks are present on their server. By using Nikto , these “info type” checks are marked in the information printed appropriately. Some check are also being scanned for unknown items in log files.
Is Nikto Website Vulnerability Scanner Free?
Yes, this tool is free to use and in fact a lot of pentesters likes this tool a lot.
Does Nikto Website Vulnerability Scanner Work on all Operating Systems?
Since Nikto is a perl based security testing tool, it will run on most systems with Perl interpreter installed.
What are the Typical Uses for Nikto Website Vulnerability Scanner?
Even if this scanner is free, it still have a lot of uses. Some of the uses include SSL Support, full HTTP proxy support, checking of outdated server components, save reports in various formats like XML, HTML, CSV or NBE, easily customize reports by using Template Engine, multiple ports scanning on a server or multople servers via input file., identifies software installed via header, files and favicons, host authentication with NTLM and Basic, checking of common “parking” sites, auto-pause at a specific time and a lot more….
What is Paros Proxy?
Parox Proxy is a java-based web proxy used for assessing vulnerabilities in web application. This tool supports viewing and editing of HTTP/HTTPS messages to change items such as form fields and cookies. It also has a web traffic recorder, hash calculator, web spider and a scanner for testing common web application attacks such as cross-site scrtipting and SQL injection.
Is Paros Proxy Free?
Paros Proxy is totally free.
Does Paros Proxy Work on all Operating Systems?
Paros Proxy works on Linux, Windows and MAC OS X.
What are the Typical Uses for Paros Proxy?
Paros Proxy is created for users who need to evaluate their web applications’ security. It has the ability to intercept and modify HTTP and HTTPS data between a server and client.
[continued from top of page]