Web Application Analysis

Arjun is an HTTP parameter discovery suite that finds query parameters for URL endpoints using a large dictionary of 25,890 parameter names. It efficiently tests parameters with minimal requests, typically completing in under 10 seconds.

Burp Suite is an integrated platform for performing security testing of web applications. Its tools work together to support mapping, analysis, finding, and exploiting vulnerabilities.

Cadaver is a command-line WebDAV client that supports file upload, download, on-screen display, in-place editing, namespace operations, collection creation and deletion, property manipulation, and resource locking. Its operation is similar to the standard BSD ftp client and smbclient.

Caido is a security auditing toolkit provided as a desktop application. It enables comprehensive security assessments through an integrated desktop interface.

Caido CLI is a lightweight web security auditing toolkit available as a command-line interface. It provides options for configuring listeners, proxies, and UI for security testing.

CeWL is a custom word list generator that spiders a given URL to a specified depth and extracts words for password cracking. It can also generate email addresses from mailto links and extract usernames from file metadata via FAB.

Chromium is a web browser that aims to build a safer, faster, and more stable internet browsing experience. It includes various components like a main browser, headless shell, driver for automation, and supporting packages.

CMSeeK is a CMS Detection and Exploitation suite that scans WordPress, Joomla, Drupal and over 180 other CMSs. It identifies content management systems and performs exploitation checks.

Colly is an elegant and lightning-fast scraping framework for Golang. It provides a clean interface to write crawlers, scrapers, and spiders for extracting structured data from websites.

Automated all-in-one OS command injection and exploitation tool for detecting and exploiting command injection vulnerabilities in web applications.

DVWA is a PHP/MySQL web application intentionally designed to be highly vulnerable for security testing and training. It provides a legal environment to practice common web vulnerabilities at various difficulty levels.

DAVTest is a testing tool for WebDAV servers that uploads test executable files to determine if enabled DAV services are exploitable. It checks for successful uploads and execution of various file types on the target server.

DIRB is a Web Content Scanner that looks for existing and hidden web objects by launching dictionary-based attacks against web servers. It analyzes HTTP responses to identify directories, files, and other content.

DirBuster is a multi-threaded Java application designed to brute force directory and file names on web servers. It uses custom-generated wordlists from real developer usage and supports pure brute force to uncover hidden content.

dirsearch is a command-line tool designed to brute force directories and files in webservers. It offers complex web content discovery with multiple wordlist options, high accuracy, impressive performance, and advanced features.

EyeWitness takes screenshots of websites, captures server header information, and identifies default credentials. It automates rapid web application triage from URL lists, Nmap XML, or Nessus files.

Fast, simple, recursive content discovery tool written in Rust for performing Forced Browsing. Uses brute force combined with a wordlist to search for unlinked content in target directories.

ffuf is a fast web fuzzer written in Go that allows typical directory discovery, virtual host discovery without DNS records, and GET and POST parameter fuzzing.

Firefox Developer Edition is a powerful, extensible web browser with support for modern web application technologies, running in a container using kaboxer and localized for en-US.

GoldenEye is an HTTP DoS test tool used to check if a website is susceptible to Denial of Service attacks by opening multiple parallel connections. It employs HTTP Keep Alive and NoCache as the attack vector for testing web server resilience.

Gospider is a fast web spider written in Go for crawling websites. It supports features like parsing sitemaps and robots.txt, generating links from JavaScript, and extracting URLs from various sources.

gowitness is a website screenshot utility that uses Chrome Headless to generate screenshots of web interfaces from the command line. It includes a report viewer to process results and supports Linux, macOS, and mostly Windows.

Web crawler designed for easy, quick discovery of endpoints and assets. Fast golang web crawler for gathering URLs and JavaScript file locations.

Fast and multi-purpose HTTP toolkit that runs multiple probers using retryablehttp library to maintain result reliability with increased threads. Supports probing hosts, URLs, and CIDRs with smart auto-fallback from HTTPS to HTTP.

Humble is a fast, security-oriented HTTP headers analyzer that checks for compliance with OWASP Secure Headers. It provides statistics, findings, and supports multiple output formats.

hURL is a hexadecimal and URL encoder/decoder tool for handling encoding tasks in cybersecurity. It supports base64, URL single/double encoding and decoding operations.

OWASP JoomScan is a Joomla vulnerability scanner that detects vulnerabilities in Joomla CMS installations. It enumerates versions, checks for core vulnerabilities, and identifies exposed directories, files, and configurations.

JSP File Browser is a Java Server Page that provides remote web-based file access and manipulation on JSP-compatible servers. It enables creating, editing, uploading, downloading, and executing commands on server files and directories.

Juice Shop is a modern and sophisticated insecure web application for security trainings, awareness demos, CTFs, and testing security tools. It includes vulnerabilities from the OWASP Top Ten and other real-world security flaws.

Nikto is a pluggable web server and CGI scanner that performs fast security and informational checks. It identifies vulnerabilities, misconfigurations, and outdated software on web servers.

Web application security testing framework built on top of Firefox. Mantra is a browser designed for security testing with built-in tools for header manipulation, request replay, and proxy switching.

The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed for users with varying levels of security experience, from developers and functional testers new to pentesting to experienced pentesters.

PadBuster is a Perl script for automating Padding Oracle Attacks. It enables decryption of arbitrary ciphertext, encryption of arbitrary plaintext, and vulnerability detection through automated response analysis.

Paros is a lightweight web application testing proxy used for intercepting and analyzing HTTP traffic. It supports spidering websites and running vulnerability scans based on saved policies.

Parsero audits Robots.txt files by parsing Disallow entries and checking their HTTP status codes. It reveals potentially sensitive directories or files that search engines are instructed not to index.

Collection of useful payloads and bypasses for Web Application Security and Pentest/CTF. Provides directories with payloads for various vulnerabilities like injections and exploits.

PHP Defaults provides metapackages and binaries for the latest stable PHP version (8.4) in Kali Linux, including Apache modules, CLI interpreters, FPM, and extension modules for web development and scripting.

Requests is an elegant and simple HTTP library for Python that allows sending HTTP/1.1 requests with headers, form data, multipart files, and parameters using Python dictionaries. It simplifies access to response data and handles complex HTTP operations powered by httplib and urllib3.

Robots.txt is a tool that implements the robots.txt exclusion protocol for the Go language. It includes a utility for checking robots.txt compliance.

Siege is an HTTP regression testing and benchmarking utility that stress tests URLs with simulated users. It reports hits, bytes transferred, response time, concurrency, and return status.

Skipfish is a fully automated active web application security reconnaissance tool that performs recursive crawls and dictionary-based probes to generate an interactive sitemap annotated with security checks.

SlowHTTPTest is a highly configurable tool that simulates application layer Denial of Service attacks. It implements common low-bandwidth attacks such as Slowloris, Slow HTTP POST, Slow Read, and Apache Range Header attacks.

SQLMC is a tool designed to scan a domain for SQL injection vulnerabilities by crawling the given URL up to a specified depth and checking each link.

SSTImap is an automatic SSTI detection tool with an interactive interface that checks websites for Server-Side Template Injection vulnerabilities and exploits them to gain operating system access.

CLI tool for testing web pages for template injection vulnerabilities. Supports 44 of the most relevant template engines for eight different programming languages.

Uniscan is a simple scanner for Remote File Include (RFI), Local File Include (LFI), and Remote Command Execution (RCE) vulnerabilities. It performs directory checks, file checks, and dynamic vulnerability tests on web targets.

wafw00f identifies and fingerprints Web Application Firewall products. It detects WAF solutions by analyzing HTTP responses to normal and potentially malicious requests.

Wapiti is a black-box web application vulnerability scanner that audits security by scanning deployed web pages for scripts and forms to inject payloads. It detects vulnerabilities like SQL injections, XSS, file disclosures, command execution, and more.

WATOBO is a semi-automated web application scanner designed for efficient security audits. It operates as a local web proxy to facilitate detailed testing.

web-cache-vulnerability-scanner (wcvs) is a CLI tool for testing web cache poisoning and web cache deception vulnerabilities. It probes HTTP headers, query parameters, and cache keys to identify misconfigured caches that can be abused to poison responses served to other users.

WeBaCoo is a script kit for creating web backdoors that utilize cookies for command execution. It supports generating obfuscated PHP backdoor code and establishing remote terminal connections via HTTP requests.

WebScarab is a web application review tool designed to expose the workings of HTTP(S)-based applications. It assists developers in debugging difficult problems and security specialists in identifying vulnerabilities in application design or implementation.

Webshells is a collection of web shells for various server-side languages including ASP, ASPX, CFM, JSP, Perl, and PHP. It provides pre-built backdoor scripts for web application penetration testing.

WebSploit is an advanced web exploitation framework for scanning and analyzing remote systems to identify various vulnerabilities. It features a modular structure similar to Metasploit with modules for web scanning, directory scanning, and MITM attacks.

Wfuzz is a web application bruteforcer designed for finding unlinked resources such as directories, servlets, and scripts. It supports bruteforcing GET and POST parameters, forms, and fuzzing for various injections.

WebApp Information Gatherer that identifies Content Management Systems and administrative applications through fingerprinting. It detects CMS versions based on checksums and string matching, and guesses server operating systems from headers.

WPProbe is a fast WordPress plugin scanner that detects installed plugins via REST API enumeration and maps them to known vulnerabilities. It supports over 3000 plugins without brute-force and thousands more with it.

Black box WordPress vulnerability scanner that scans remote WordPress installations to find security issues.

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) audit and exploitation toolkit. It detects CSRF vulnerabilities, related bypasses, and generates exploitable proof-of-concepts.

XSSer is an automatic framework to detect, exploit, and report XSS vulnerabilities in web-based applications. It includes options to bypass filters and uses various code injection techniques.

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.