Security Tools Comparison

Several automated tools are available that scan web applications to look for known security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. These scans are usually done from the outside. Scanning using such tools are usually the first step in any vulnerability analysis. This phase is commonly referred as Dynamic Application Security Testing, where the application is tested in its operating state.

Dynamic Application Security Testing can be combined with Static Application Security Testing (SAST), which invloves source code testing to find out vulnerabilites in design and construction flaws. Together, DAST and SAST look at both sides of an application to prune out potential vulnerabilities.

Some of the tools used are:

• Vega https://subgraph.com/vega/
• Grabber https://github.com/neuroo/grabber
• Zed Attack Proxy http://code.google.com/p/zaproxy/
• Wapiti http://wapiti.sourceforge.net/
• W3af https://github.com/andresriancho/w3af/
• WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
• Skipfish http://code.google.com/p/skipfish/
• Ratproxy http://code.google.com/p/ratproxy/
• SQLMap https://github.com/sqlmapproject/sqlmap
• Wfuzz http://code.google.com/p/wfuzz/
• Grendel-Scan http://sourceforge.net/projects/grendel/
• X5S http://xss.codeplex.com/
• Watcher http://websecuritytool.codeplex.com/
• Arachni http://www.arachni-scanner.com/
• Nikto http://sectools.org/tool/nikto/
• Nmap Nmap Scanner
• Cloud Security IBM Application Security on Cloud

Sources:

• Vulnerability Scanning Tools
• 14 Best Open Source Web Application Vulnerability Scanners [Updated for 2018]