SecTools.Org: Top 125 Network Security Tools
For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator).
We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!
Tools 1–10 of 20 next page →
(19) ★★★★½ Burp Suite (#13, 63)
Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility. There is a limited free version and also Burp Suite Professional ($299 per user per year). Read 22 reviews.
Latest release: version 1.4.01 on June 3, 2011 (11 years, 10 months ago).
(10) ★★★★½ Nikto (#14, 2)
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Read 15 reviews.
Latest release: version 2.1.4 on Feb. 20, 2011 (12 years, 1 month ago).
(15) ★★★½ w3af (#18, new!)
W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit. Read 18 reviews.
Latest release: version 1.1 on Oct. 11, 2011 (11 years, 5 months ago).
(2) ★★½ Paros proxy (#24, 8)
A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting. Read 6 reviews.
Latest release: version 3.2.13 on Aug. 8, 2006 (16 years, 7 months ago).
(1) ★★★★★ WebScarab (#28, 7)
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented. Read 2 reviews.
Latest release: version 20100820-1632 on Aug. 20, 2010 (12 years, 7 months ago).
(9) ★★★★½ sqlmap (#30, new!)
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and even accessing the underlying file system and executing OS commands via out-of-band connections. The authors recommend using the development release from their Subversion repository. Read 11 reviews.
Latest release: version 0.9 on April 11, 2011 (11 years, 11 months ago).
(2) ★★★★½ skipfish (#39, new!)
skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. Read 2 reviews.
Latest release: version 2.10b on Dec. 4, 2012 (10 years, 3 months ago).
(5) ★★★½ Acunetix (#41, 55)
Acunetix is a web vulnerability scanner that automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak password strength on authentication pages. It boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing. Read 8 reviews.
Latest release: version 11 on Nov. 16, 2016 (6 years, 4 months ago).
(2) ★★★★ AppScan (#47, 51)
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. AppScan was merged into IBM's Rational division after IBM purchased its original developer (Watchfire) in 2007. Read 2 reviews.
Latest release: version 8.5 on Nov. 15, 2011 (11 years, 4 months ago).
(5) ★★★★★ Netsparker (#75, new!)
Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It aims to be false positive–free by only reporting confirmed vulnerabilities after successfully exploiting or otherwise testing them. Read 6 reviews.
Latest release: version 188.8.131.52 on Feb. 10, 2011 (12 years, 1 month ago).
Tools 1–10 of 20 next page →
- Antimalware (3)
- Application-specific scanners (3)
- Web browser–related (4)
- Encryption tools (8)
- Debuggers (5)
- Firewalls (2)
- Forensics (4)
- Fuzzers (4)
- General-purpose tools (8)
- Intrusion detection systems (6)
- Packet crafting tools (6)
- Password auditing (12)
- Port scanners (4)
- Rootkit detectors (5)
- Security-oriented operating systems (5)
- Packet sniffers (14)
- Vulnerability exploitation tools (11)
- Traffic monitoring tools (10)
- Vulnerability scanners (11)
- Web proxies (4)
- Web vulnerability scanners (20)
- Wireless tools (5)