Which is the most comprehensive open source Web Security Testing tool?

Any feedback based on your experiences would be helpful. Thanks.

88 Answers

author avatar
Top 5LeaderboardConsultant

It depends.

Let me explain. If you are looking to find SQL injection, header injection, directory listing, shell injection, cross site scripting and file inclusion? Or are you looking for file disclosure, inclusion, cross site scripting, CED, CRLF injection, sel injection, xpath injection, weak .htaccess or backup files disclosure?

Also, proxy check is very important. I use several software since I deal with healthcare Apps. So, I don't think one program does it all but if you have the time to do a "cook off" I can recommend the following software:

Zed Attack Proxy
Wapiti (Only Win 32bit)

Some of them do the same are repetitive but I think these are the best open source web application security testing tools.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.

I wrote my own solution. Securis. It is customized for healthcare federal regulations only. Let me know if I can help.

author avatar

We have been looking for a good solution too and still haven't decided yet. But you might benefit from our aproach:
- we didn't rule out closed source from the start. Security is too important to simply ignore that category. There are some good tools available but they come at a cost... (we are considering the folowing candidates: HP Fortify SCA, Acunetix, Netsparker)
- don't look for THE TOOL to do everything but look at the different security aspects to cover. (We differentiate between Dynamic and Static Application Security Testing. Dynamic Application Security Testing is testing the application from the outside it, looking at the application in its running state. Whereas Static Application Security Testing is looking at the sourcecode the application is made of.)
Use comparison material from internet: we use among others Gartners Magic Quadrant reports (http://securityintelligence.com/2014-gartner-magic-quadrant-for-application-security-testing-released-ibm-maintains-position-in-leaders-quadrant/#.VaJPKe8w-70).
The answers provide by others are all fine answers regarding open source and in our research until now we (also) have identified OWASP's Zed Attack Proxy as the prime open source candidate.

author avatar
Top 20Vendor

ZAP for sure. Maintained by Mozilla.

author avatar
Top 5LeaderboardReal User
author avatar
Top 5LeaderboardReal User

w3af only

author avatar

If you are looking for Web application security testing then I would recommend- OWASP-ZAP(Open Source) and Burp Suite(Licensed with cost as low as 299$ per yr.)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

author avatar

As you have not indicated what langue the development is done in nor what specific concerns you have, I can only offer a more general recommendation. Start with Owasp. Here is a link to their site:

They have many decent open source tools for validating various aspects of web security. In addition, they have the top 10, which outlines the most prevalent risks found/exploited currently. Fixing those goes a long way towards imporiving your web security.

Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: April 2021.
479,894 professionals have used our research since 2012.