A list of open source web security scanners on GitHub and GitLab, ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below.
Note that some large projects have multiple repos - in which case the second most relevant repo is included immediately after and is indented.
Tools which can find a range of 'unknown' vulnerabilities on any websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
ZAP | |||
- ZAP Extensions | |||
Hetty | |||
W3af | |||
Arachni | |||
Astra | |||
Wapiti | |||
Skipfish | |||
Sitadel | |||
Taipan | |||
Vega | |||
Reaper | |||
BrowserBruter | |||
Tuplar | |||
Ugly-duckling | |||
Jawfish | |||
Pākiki | |||
Browserker |
Tools which can find a range of 'known' vulnerabilities on any websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Nuclei | |||
- Nuclei Templates | |||
Xray | |||
Tsunami | |||
Nikto | |||
Striker | |||
Jaeles | |||
- Jaeles-Signatures | |||
Yasuo | |||
Observatory | |||
Spaghetti |
Tools which focus on throwing 'bad stuff' at things - the user typically has to work out if it sticks.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
dirsearch | |||
Ffuf | |||
gobuster | |||
Wfuzz | |||
feroxbuster | |||
rustbusterv | |||
vaf | |||
radamsa | |||
BrowserBruter |
Tools which can find a range of 'known' vulnerabilities on one or more CMS websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
WPscan | |||
Volnx | |||
Droopescan | |||
CMSScan | |||
JoomScan | |||
Clusterd |
Tools which focus on web APIs.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Cherrybomb | |||
Akto | |||
Automatic API Attack Tool | |||
VulnAPI |
Tools which focus on specific types of vulnerabilities.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Sqlmap | |||
XSStrike | |||
Commix | |||
Tplmap | |||
Dalfox | |||
Fuxploider | |||
Ghauri | |||
NoSQLMap | |||
Xsscrapy | |||
XSpear | |||
Gxss | |||
Domdig | |||
CakeFuzzer | |||
Takeover | |||
LFIscanner | |||
YA-LFI | |||
YA-CORS |
- Free for Open Source Application Security Tools - includes commercial tools as well
- Vulnerability Scanning Tools - covers more tools, includes commercial tools as well
- Linux Security Tools - covers more tools and evaluates more criteria
- Web Hackers Weapons - covers more tools
- Arsenal of cloud native security tools
PR's welcomed.
Template line for GitHub projects (replace USER_REPO):
| []() | [![Last Commit](https://img.shields.io/github/last-commit/USER_REPO)](https://github.com/USER_REPO/commits) | [![Contributors](https://img.shields.io/github/contributors/USER_REPO)](https://github.com/USER_REPO/graphs/contributors) | [![Stars](https://img.shields.io/github/stars/USER_REPO)](https://github.com/USER_REPO/stargazers) |
Template line for GitLab projects (replace USER_REPO):
| []() | [![Last Commit](https://badgen.net/gitlab/last-commit/USER_REPO)](https://gitlab.com/USER_REPO/-/commits/master) | [![Contributors](https://badgen.net/gitlab/contributors/USER_REPO/)](https://gitlab.com/USER_REPO/-/graphs/master) | [![Stars](https://badgen.net/gitlab/stars/USER_REPO/)](https://gitlab.com/USER_REPO/-/starrers) |