Empty input
Last updated 2017-08-10


Learn more about web security tools

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Tools Listing

Name Owner Licence Platforms
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows
edgescan edgescan Commercial / Free (Limited Capability) SaaS
AppScan IBM Commercial Windows
App Scanner Trustwave Commercial Windows
AppSpider Rapid7 Commercial Windows
AVDS Beyond Security Commercial / Free (Limited Capability) SaaS
BlueClosure BC Detect BlueClosure Commercial, 2 weeks trial Most platforms supported
Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported
Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises
Detectify Detectify Commercial SaaS
GamaScan GamaSec Commercial Windows
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh
GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh
IKare ITrust Commercial N/A
Indusface Web Application Scanning Indusface Commercial SaaS
N-Stealth N-Stalker Commercial Windows
Netsparker MavitunaSecurity Commercial Windows
Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux
Nikto CIRT Open Source Unix/Linux
ParosPro MileSCAN Commercial Windows
Proxy.app Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
SOATest Parasoft Commercial Windows / Linux / Solaris
Tinfoil Security Tinfoil Security, Inc. Commercial / Free (Limited Capability) SaaS or On-Premises
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
Vega Subgraph Open Source Windows, Linux and Macintosh
Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh
WebApp360 TripWire Commercial Windows
WebCookies WebCookies Free SaaS
WebInspect HP Commercial Windows
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh
Wikto Sensepost Open Source Windows
w3af w3af.org GPLv2.0 Linux and Mac
Xenotix XSS Exploit Framework OWASP Open Source Windows
Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh


The following list of products and tools provide web application security scanner functionality.  Note that the tools on this list are not being endorsed by the Web Application Security Consortium - any tool that provides web application security scanning functionality will be listed here.  If you know of a tool that should be added to this list, please contact Brian Shura at bshura73@gmail.com.


Commercial Tools

Software-as-a-Service Providers


Free / Open Source Tools

Learn more on http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List