As part of improving your webapp's or blog's overall security posture I have concluded to a simplified listing of the top 11 best choices for software devs and security testers that can measure or take preventative action on specific known vulnerabilities.
Note: This is not meant to be a holistic and finite list since there is a multitude of security vulnerabilities and zer0-day exploits roaming freely the web and which allow anyone to hack into your webapp. Its only a conclusive list of my own choice, feel free to add anything that is missing from this list.
If you consider a layered approach when thinking networked security, I will only be focusing on the layers of the network referencing the web application parts. See OSI-layered model below:
Since this list is mainly focused on opensource DAST and SAST vulnerability tools, the relevant infrastructure parts covered are the top 3 OSI parts, relevant to web application testing and are affecting indirectly/directly OS resources. See image below:
DAST and SAST tools mentioned in the list below will mainly scan and perform assessment of the highlighted OSI parts only. (Some may involve lower parts scanning such as probing, ping sweeps but not in the longer run).
Pretty straight-forward installation and setup process, but only runs on one platform and that is Linux (Kali Linux to be more specific). Also a plus is the docker usage for automation that it provides on self-hosted parts and the usage of a Web UI that comes with that. Minimum hardware requirements include only 2 CPU cores and 4GB of RAM to run so it can be easily set on small or legacy H/Ware if you intend to build from source and/or install separately.
Provides good knowledge base and solid online documentation. ZAProxy is always a favorite well-known option for both security testers and webapp developers. Also allows good automation usage by the built-in spidering agent included in its overall capabilities. This still needs to be setup manually on any OSes that supports (incl. Windows,Linux) and it also includes its own dockerized images.
Includes most commonly used scanning capabilities for vulnerability scanning and also supports GraphQL and other forms of API endpoint security testing. Also has a CLI tool so most testing and reporting can be easily automated on any hosted instances (either Windows or Linux).
One of the most popular vulnerability scanner with added setup support for most Windows OSes (including Server versions) and Linux. Also available as docker and kubernetes deployment. Minimum requirements are mainly dependent on how many scanner testing tasks are running simultaneously. The standard though for CPU cores is 2 with 8 GB of RAM. In terms of automating burp tasks, some special sort of burp snippets are provided also-known-as 'Bambdas' as stated on their website that can be imported to extend and further customize and automate the standard pre-bundled snippets.
Another alternative non-proprietary security relevant scanner that utilizes python only scripting and is a CLI application. This helps with automation and flexibly using it any way possible. Supported by most Linux platforms and unix-based systems (MacOS, Kali Linux) with partially supported setup for Windows as well. Can also be downloaded via Docker and allows for multiple exploit and payload customizations when run.
A PERL-based open source web vulnerability scanner that comes with pre-bundled 7000 vulnerabilities to choose from. Installable on most *nix-based systems, on windows as a binary zip file and image deployable Dockerfile. Nikto, allows for fine tuned settings when executing via the command line while launching a built-in attack. This allows for more flexibility. Also on its website besides the detailed usage guide in github wiki, there is a searchable database of default passwords used by known vendors.
A least popular option of SAST tool is Brakeman. Brakeman is another free vulnerability scanner designed for Ruby on Rails web applications. It statically analyzes Rails application code so to detect any code issues during development. Run from a single file /binary on most platform, is the ideal choice for RubyOnRails web developers.
Another popular and python-specific cli tool for testing websites. Supports python-based installs on 3.12,*.13 only and can generate vulnerability reports -with revelant verbosity levels- while performing fuzz-based testing while injecting each attack's payload. Also easily detects bad configs like server 500 errors during test runs.
Another fuzzer for web application security testing runs on python (pip installs) and has a strict list of its 5 installation prerequisites that support it. Install guides are also available for docker images, Windows and MacOS. Notable features are its vast fuzz-testing capabilities being able to use cookie, HTTP Verb, Proxy and Authentication fuzzing as well as more advanced fuzz tests such as payload combinations, payload mangling and encoder combinations, all from a single command line.
Another good vulnerability and misconfiguration scanner for your web application that runs on the command line and supports also environment secrets scanning and nice html reporting exports as well as many other capabilities. It does not state windows support on its website, but supports installs via Homebrew/Debian/Ubuntu/RHEL/CentOS as well as Docker. It also includes an .sh install script to use directly from their online website.
A mini-web crawler that runs on a small single .py file and supports a small range of security-relevant vulnerabilities. Small tool but flexible to use since it supports xml file configurations, this allows targeting multiple sites. If you need something small and portable that adapts to most setups this might be useful. It is dependent on Python 2.4, BeautifulSoup and PyXML and also has a py2exe generated executable version.
Extra: public website online scanners
This listing is just in case you need a fast check on your main website's domain and you don't mind external services probing your public record/domains. NOTE THAT: Overall, most sites on this list are free to use but some might require free registration to view the scanned results produced after you put your website domain, so please use with care and read the terms of usage beforehand.
Other DNS checkers online:
Just in case: That you will need additional help with orchestrating one or more vulnerability testing scenarios or variants, there are still free options out there to use:
- CloudSploit : This will be helpful in securing a cloud-based deployment or cloud-hosted web application instance.
- CyberChef : Can be run with self-hosting, provides a nice web UI to preset any security-relevant scenarios in the form of a recipe, for added tuning during automation which I think is cool.
This additional list is in case anything is missing or invalid in your configuration defaults or customizations:
-
Datree Configuration Security Scanner : Detect misconfigurations in a kubernetes deployment and remediation. Can be run on-premises.
-
DotEnv : Secure your secrets in a vault-like way. Immediate leakage detection and prevention.
-
Doppler : Secure secrets management for securing environment setup and additional integrations. Available on most OSes via CLI and includes docker presets.
-
GitGuardian : Git web app repository protection for secrets and sensitive info leakage (certificates, etc.). Prevents hardcoding most things in your code and allows for usage for most git-based deployments (AWS Cloud, Azure Cloud, Atlassian etc.).
In case you need to be extra careful and want to do most things on your own, write custom automation and stylish scripts:
Here is a list of the top 100 security vulnerabilities.
... can be combined with any of this in this public github listing vulnerability scanner categorization below:
A list of open source web security scanners
open-source-web-scanners
A list of open source web security scanners on GitHub and GitLab, ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below.
Note that some large projects have multiple repos - in which case the second most relevant repo is included immediately after and is indented.
Related: open-source-llm-scanners
General Purpose Web Scanners
Tools which can find a range of 'unknown' vulnerabilities on any websites.
Infrastructure Web Scanners
Tools which can find a range of 'known' vulnerabilities on any websites.
Fuzzers / Brute Forcers
Tools which focus on throwing 'bad…
Hey, I found that I can view the scan report on ScyScan without registering or paying, and its link checker Google Safebrowsing does not require providing Google API key. 😁😁😁