Web Application Security Tools & Scanner Applications

Web Application SecurityA web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike source code scanners, web application scanners don’t have access to the source code and therefore detect vulnerabilities by actually performing attacks.

A web application security scanner can facilitate the automated review of a web application with the expressed purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Like every testing tools, the web application security scanner is not a perfect tool, it has strength and weaknesses. Web application scanners can look for a wide variety of vulnerabilities, including:

  • Input/Output validation: (Cross-site scripting, SQL Injection, etc.)
  • Specific application problems
  • Server configuration mistakes/errors/version

The following list of products and tools provide web application security scanner functionality.

Commercial Tools

  • Acunetix WVS by Acunetix
  • AppScan by IBM
  • Burp Suite Professional by PortSwigger
  • Hailstorm by Cenzic
  • MileScan Web Security Auditor by MileSCAN Technologies
  • N-Stalker by N-Stalker
  • Nessus by Tenable Network Security
  • NetSparker by Mavituna Security
  • NeXpose by Rapid7
  • NTOSpider by NTObjectives
  • Retina Web Security Scanner by eEye Digital Security
  • WebApp360 by nCircle
  • WebInspect by HP
  • WebKing by Parasoft

SAAS (Software As A Service) Providers

  • AppScan OnDemand by IBM
  • ClickToSecure by Cenzic
  • QualysGuard Web Application Scanning by Qualys
  • Sentinel by WhiteHat
  • Veracode Web Application Security by Veracode
  • WebInspect by HP
  • WebScanService by Elanize KG

Free Open Source Tools

  • Grabber by Romain Gaucher
  • Grendel-Scan by David Byrne and Eric Duprey
  • Paros by Chinotec
  • Powerfuzzer by Marcin Kozlowski
  • SecurityQA Toolbar by iSEC Partners
  • W3AF by Andres Riancho
  • Wapiti by Nicolas Surribas