In our previous hacking classes, as we have discussed that Penetration testing is one of the Major Career path for Ethical Hackers. Some of our regular readers asked us to publish list of best open source web application Penetration testing tools, so that they can expetize best available open source penetrationg testing tools in the Market. Its an obvious question in interviews for penetration testing that they ask you “On what application Penetration testing tools you have worked on ?” . So its always better to go through all best web application Penetration testing tools in advance, :D not just for interview but to Pen test like a professional Ethical Hacker. Hackingloops has reviewed more than 100’s of available application penetration testing tools and came up with list of best of the best open source Application Penetration testing tools. So let’s see what all application pen testing tools i have collected for you Guys…
List of best Open Source Web Application Penetration Testing Tools:
1. OWASP ZAP (ZED ATTACK PROXY) :
Zed Attack Proxy is also known as ZAP. This tool is open source tool by OWASP. It is available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool that’s why it tops my list. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications.
These are the key functionalities of ZAP:
- Intercepting Proxy
- Automatic Scanner
- Traditional but powerful spiders
- Fuzzer
- Web Socket Support
- Plug-n-hack support
- Authentication support
- REST based API
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.
Download ZAP : http://code.google.com/p/zaproxy/
2. W3af :
W3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, Cross-Site Scripting and many others.
It comes with a graphical and console interface. You can use it easily by using its easy to understand interface.
If you are using it with Graphical Interface, I do not think that you are going to face any problem with the tool. You only need to select the options and then start the scanner. If a website needs authentication, you can also use authentication modules to scan the session-protected pages.
Download it from the official website: http://w3af.org/
3. Grabber
Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
- Cross site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications.
Download it here: http://rgaucher.info/beta/grabber/
4. OWASP Webscarab :
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
Download WebScarab here : https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
5. BeEF :
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser- what this means is that, it takes advantage of the fact that an open web-browser is the window(or crack) into a target system and designs its attacks to go on from this point on . It has a GUI interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open source and can be found at this page.
Download link : http://beefproject.com/
6. NMAP :
NMap though not necessarily a pen-testing tool, but it is a must-have for the ethical hackers. This is a very popular tool that predominantly aids in understanding the characteristics of any target network. The characteristics can include: host, services, OS, packet filters/firewalls etc. It works on most of the environments and is open sourced.
Download link: http://nmap.org/
7. Social Engineer Toolkit :
The Social-Engineer Toolkit (SET) is a unique tool in terms that the attacks are targeted at the human element than on the system element. It has features that let you send emails, java applets, etc containing the attack code. It goes without saying that this tool is to be used very carefully and only for ‘white-hat’ reasons. It has a command-line interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open source and can be found at below page.
Download link: Social Engineer Toolkit download
8. Wireshark :
This is basically a network protocol analyzer –popular for providing the minutest details about your network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI, or the TTY-mode TShark utility. You can get your own free version of the tool from here.
Download link: Wireshark download
9. SQLMap :
SQLMap is another popular open source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerability in a website’s database. It has a powerful detection engine and many useful features. So, a penetration tester can easily perform SQL injection check on a website.
It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band.
Download SQLMap here: https://github.com/sqlmapproject/sqlmap
10. Wapiti :
Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect following vulnerabilities:
- File Disclosure
- File inclusion
- Cross Site Scripting (XSS)
- Command execution detection
- CRLF Injection
- SEL Injection and Xpath Injection
- Weak .htaccess configuration
- Backup files disclosure
- and many other
Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation.
Download Wapiti with source code: http://wapiti.sourceforge.net/
11. Wfuzz :
Wfuzz is another freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy and many other things.
This tool does not offer a GUI interface, so you will have to work on command line interface.
Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/
That’s it Friends! There are lot of Open source web application penetration testing tools but these are best of best.
If you like our article, then why not support us by visiting or clicking our sponsors.
Lokesh Singh says
Will be adding new tools very soon