Home page logo
/

SecTools.Org: Top 125 Network Security Tools

For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator).

We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!

Filtering by tag:

remove filters
Sort by: popularity rating release date

20 tools

(13) ★★★★★ Burp Suite (#13, 63)

Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility. There is a limited free version and also Burp Suite Professional ($299 per user per year). Read 15 reviews.

Latest release: version 1.4.01 on June 3, 2011 (3 years, 4 months ago).

(8) ★★★½ Nikto (#14, 2)

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Read 12 reviews.

Latest release: version 2.1.4 on Feb. 20, 2011 (3 years, 8 months ago).

(14) ★★★½ w3af (#18, new!)

W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit. Read 16 reviews.

Latest release: version 1.1 on Oct. 11, 2011 (3 years ago).

(1) Paros proxy (#24, 8)

A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting. Read 3 reviews.

Latest release: version 3.2.13 on Aug. 8, 2006 (8 years, 2 months ago).

no rating WebScarab (#28, 7)

In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented. Read 1 review.

Latest release: version 20100820-1632 on Aug. 20, 2010 (4 years, 2 months ago).

(7) ★★★★½ sqlmap (#30, new!)

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and even accessing the underlying file system and executing OS commands via out-of-band connections. The authors recommend using the development release from their Subversion repository. Read 9 reviews.

Latest release: version 0.9 on April 11, 2011 (3 years, 6 months ago).

(2) ★★★★½ skipfish (#39, new!)

skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. Read 2 reviews.

Latest release: version 2.10b on Dec. 4, 2012 (1 year, 10 months ago).

(3) ★★★★ Acunetix WVS (#41, 55)

Acunetix WVS (web vulnerability scanner) automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak password strength on authentication pages. It boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing. Read 4 reviews.

(2) ★★★★ AppScan (#47, 51)

AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. AppScan was merged into IBM's Rational division after IBM purchased its original developer (Watchfire) in 2007. Read 2 reviews.

Latest release: version 8.5 on Nov. 15, 2011 (2 years, 11 months ago).

(4) ★★★★★ Netsparker (#75, new!)

Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It aims to be false positive–free by only reporting confirmed vulnerabilities after successfully exploiting or otherwise testing them. Read 4 reviews.

Latest release: version 1.8.3.3 on Feb. 10, 2011 (3 years, 8 months ago).

(3) ★★★ HP WebInspect (#76, 36)

WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer. It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more. It was produced by Spidynamics, which is now part of HP. Read 3 reviews.

Latest release: version 9.10 on June 27, 2011 (3 years, 3 months ago).

no rating Wikto (#83, 1)

Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code. Review this tool.

Latest release: version 2.1.0.0 on Dec. 14, 2008 (5 years, 10 months ago).

(3) ★★★★★ Samurai Web Testing Framework (#87, new!)

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. Samurai includes many other tools featured in this list, such as WebScarab, ratproxy, w3af, Burp Suite, and BeEF. Read 4 reviews.

Latest release: version 0.9.9 on Aug. 13, 2011 (3 years, 2 months ago).

(4) ★★★★★ Firebug (#89, new!)

Firebug is an add-on for Firefox that provides access to browser internals. It features live editing of HTML and CSS, a DOM viewer, and a JavaScript debugger. Web application security testers appreciate the ability to see what's happening behind the scenes of the browser. Read 4 reviews.

Latest release: version 1.12.7 on March 5, 2014 (7 months, 3 weeks ago).

no rating ratproxy (#96, new!)

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. Read 1 review.

Latest release: version 1.58 beta on May 1, 2009 (5 years, 5 months ago).

(4) ★★★★ Websecurify (#102, new!)

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. Read 4 reviews.

Latest release: version 1.0.2 on Jan. 15, 2012 (2 years, 9 months ago).

no rating Grendel-Scan (#106, new!)

Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. Review this tool.

Latest release: version 1.1.

(1) ★★★★★ DirBuster (#112, new!)

DirBuster searches for hidden pages and directories on a web server. Sometimes developers will leave a page accessible, but unlinked; DirBuster is meant to find these potential vulnerabilities. This is a Java application developed by OWASP. Read 2 reviews.

Latest release: version 2.0-RC1 on March 3, 2009 (5 years, 7 months ago).

no rating Wfuzz (#114, new!)

Wfuzz is a tool for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforcing GET and POST parameters for different kinds of injections (SQL, XSS, LDAP, etc.), bruteforcing form parameters (user/password), fuzzing, and more. Review this tool.

Latest release: version 2.0 on Aug. 4, 2011 (3 years, 2 months ago).

(1) ★★ Wapiti (#121, new!)

Wapiti allows you to audit the security of your web applications. It performs "black-box" scans; i.e., it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Read 2 reviews.

Latest release: version 2.2.1 on Dec. 29, 2009 (4 years, 9 months ago).

20 tools

Categories

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]