Discover powerful open-source tools for finding and fixing security issues in web applications. From detecting SQL injection to cross-site scripting, this collection provides essential resources for safeguarding your online projects. Download these tools to strengthen your website's security today.
The tools listed in this repository are provided for educational and informational purposes only. While they can help identify potential security vulnerabilities in web applications, it's essential to use them responsibly and ethically.
By downloading or using any of the tools listed in this repository, you agree that:
- You will only use them on web applications and systems for which you have explicit permission to test.
- You will not use them for any illegal, unethical, or malicious activities, including but not limited to unauthorized access to systems or data.
- You understand that improper use of these tools may result in legal consequences.
The maintainers of this repository are not responsible for any misuse or illegal activity conducted with the tools provided herein. Use them at your own risk and discretion.
Grabber is a web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
- Cross-site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
Vega is another free open-source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI-based environment. It is available for OS X, Linux, and Windows. It can be used to find SQL injection, header injection, directory listing, shell injection, cross-site scripting, file inclusion, and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.
Zed Attack Proxy is also known as ZAP. This tool is open-source and is developed by OWASP. It is available for Windows, Unix/Linux, and Macintosh platforms.
- Intercepting proxy
- Automatic scanner
- Traditional but powerful spiders
- Fuzzer
- WebSocket support
- Plug-n-hack support
- Authentication support
- REST-based API
- Dynamic SSL certificates
- Smartcard and client digital certificates support
Wapiti is a web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POST HTTP attacks and detects multiple vulnerabilities. It can detect the following vulnerabilities:
- File disclosure
- File inclusion
- Cross-site scripting (XSS)
- Command execution detection
- CRLF injection
- SEL injection and XPath injection
- Weak .htaccess configuration
- Backup file disclosure
- Many others
W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It was developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, cross-site scripting, and many others.
WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool.
Skipfish is another nice web application security tool. It crawls the website and then checks each page for various security threats. At the end, it prepares the final report.
Ratproxy is an open-source web application security audit tool which can be used to find security vulnerabilities in web applications. It supports Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
SQLMap is another popular open-source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerabilities in a website’s database. It has a powerful detection engine and many useful features. This way, a penetration tester can easily perform an SQL injection check on a website.
Wfuzz is another freely available open-source tool for web application penetration testing. It can be used to brute-force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP, and many others. It also supports cookie fuzzing, multi-threading, SOCK, proxy, authentication, parameter brute-forcing, multiple proxy, and many other things.
Grendel-Scan is another nice open-source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux, and Macintosh and was developed in Java.
Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but an add-on of Fiddler, so you need to install Fiddler first and then install Watcher to use it.
Arachni is an open-source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL injection, XSS, local file inclusion, remote file inclusion, unvalidated redirect, and many others.
- LICENSE: This project is licensed under the terms of the MIT License.
- CONTRIBUTING.md: Learn how to contribute to this project and participate in its development.
- CODE_OF_CONDUCT.md: Read our code of conduct to understand the standards of behavior expected in this project's community.