Vulnerability Scanning Tools


Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Here we provide a list of vulnerability scanning tools currently available in the market.

Disclaimer: The tools listing in the table below are presented in alphabetical order. OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below.

OWASP is aware of the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). WAVSEP is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.

Tools Listing

Name/Link Owner License Platforms Note
Abbey Scan MisterScanner Free SaaS
Acunetix Acunetix Commercial Windows, Linux, MacOS Free (Limited Capability)
App Scanner Trustwave Commercial Windows
AppCheck Ltd. AppCheck Ltd. Commercial SaaS Free trial scan available
AppScan HCL Software Commercial Windows
AppScan on Cloud HCL Software Commercial SaaS
AppSpider Rapid7 Commercial Windows
AppTrana Website Security Scan AppTrana Free SaaS
Arachni Arachni Free Most platforms supported Free for most use cases
BREACHLOCK Dynamic Application Security Testing BREACHLOCK Commercial SaaS
BlueClosure BC Detect BlueClosure Commercial Most platforms supported 2 week trial
Burp Suite PortSwiger Commercial Most platforms supported Free (Limited Capability)
Contrast Contrast Security Commercial SaaS or On-Premises Free (Full featured for 1 App)
Crashtest Security Crashtest Security Commercial SaaS or On-Premises
Cyber Chief Audacix Commercial SaaS or On-Premises
Detectify Detectify Commercial SaaS
Digifort- Inspect Digifort Commercial SaaS
Edgescan Edgescan Commercial SaaS
GamaScan GamaSec Commercial Windows
GoLismero GoLismero Team Open Source Windows, Linux and Macintosh GPLv2.0
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Gravityscan Defiant, Inc. Commercial SaaS Free (Limited Capability)
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh Commercial SaaS Free Forever
IKare ITrust Commercial N/A
ImmuniWeb High-Tech Bridge Commercial SaaS Free (Limited Capability)
Indusface Web Application Scanning Indusface Commercial SaaS Free trial available
InsightVM Rapid7 Commercial SaaS Free trial available
Intruder Intruder Ltd. Commercial
K2 Security Platform K2 Cyber Security Commercial SaaS/On-Premise Free trial available
N-Stealth N-Stalker Commercial Windows
Nessus Tenable Commercial Windows
Netsparker Netsparker Commercial Windows
Nexpose Rapid7 Commercial Windows/Linux Free (Limited Capability)
Nikto CIRT Open Source Unix/Linux
Probely Probely Commercial SaaS Free (Limited Capability) Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
Ride (REST JSON Payload fuzzer) Adobe, Inc. Open Source Linux / Mac / Windows Apache 2
SOATest Parasoft Commercial Windows / Linux / Solaris
Sec-helpers VWT Digital Open Source or Free N/A
SecPoint Penetrator SecPoint Commercial N/A
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
StackHawk StackHawk Commercial SaaS
Tinfoil Security Tinfoil Security, Inc. Commercial SaaS or On-Premises Free (Limited Capability)
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
Vega Subgraph Open Source Windows, Linux and Macintosh
Vex UBsecure Commercial Windows
WPScan WPScan Team Commercial Linux and Mac Free options
Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh
Web Security Scanner DefenseCode Commercial On-Premises
WebApp360 TripWire Commercial Windows
WebCookies WebCookies Free SaaS
WebInspect Micro Focus Commercial Windows
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify Commercial Windows, Linux, Macintosh Free (Limited Capability)
Wikto Sensepost Open Source Windows
Zed Attack Proxy OWASP Open Source Windows, Unix/Linux, and Macintosh Apache-2.0
beSECURE (formerly AVDS) Beyond Security Commercial SaaS Free (Limited Capability)
w3af Open Source Linux and Mac GPLv2.0