[WEB SECURITY] which is the best web application vulnerability scanner

Andre Gironda andreg at gmail.com
Tue May 3 14:14:29 EDT 2011

On Mon, May 2, 2011 at 7:22 PM, 孙松柏 <lukesun629 at gmail.com> wrote:
> which is the best web application vulnerability scanner .among the free
> software like
> Arachni
The WebUI is nice. Written in Ruby and requires Rails. Best installed
using RVM. Doesn't really stand out yet otherwise.

> JBrofuzz
You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
and admin-scan.py -- combine them (sort + uniq) -- and then run them
through a single-pane-of-glass tool like Burp Suite Professional (or
Fiddler, et al) or a command-line tool such as dirb. This is a very
common penetration-testing tactic.

> Websecurify
There is a Google Chrome/Chromium extension/app. This tool is best
used when customized internally, which requires heavy knowledge of
Javascript, especially as a browser/application driver (which is a
rare skillset to have).

> Nikto
This tool is mentioned along with others in the book, "Backtrack 4:
Assuring Security by Penetration Testing". There are some clear
examples of running the tool as well as anecdotes about its
usefulness. I highly encourage you to check out this book for other
non-obvious reasons that will perhaps become obvious after you read

> Wapiti
Great tool, but works only in certain situations. Probably a good tool
to combine with other tools that can rewrite headers and perform
passive analysis, such as Burp Suite Professional or Fiddler with
Casaba Watcher. I especially like how Wapiti can specify POST-only
attacks. It's written in Python.

> W3AF
This is one of the best tools because it stands alone in its support
of key innovations in webappsec technology. It has the best
open-source crawler, as seen from the wivet.googlecode.com results.
Many people think that W3AF is all Python, but it's really a mix of
languages -- especially not that it's founders and developers work for
Rapid7 (classically known to be a Ruby appdev shop). My favorite
features of W3AF are the spiderMan discovery plugin, all of the grep
plugins (which can be imported into Burp via the Burp Python extension
API), and some of the attack/evasion plugins. The emailReport plugin
is handy, the XML output is excellent (and it has its own XSD), and
the Export Request Tool feature is one of my favorites -- allowing
export of attacks to various languages, including HTML, Ajax, Python,
and Ruby (note that these are best when imported into HtmlFixture in
FitNesse, or used on a build/CI server as integration tests).

> Skipfish
It's written in C and super-fast, with some really interesting
capabilities. The crawler isn't bad, but it's not quite as good as
W3AF (or some commercial tools). I like the "-D" flag the most, and
the ability for this tool to go through those
JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched --
especially given its other capabilities to lean on dictionaries for
predictable-resource-location attacks.

> Grendel-Scan
Terrible performance, scalability, and usability. I don't believe the
author promotes its usage anymore.

> Grabber
I've always liked this tool, but it's a bit of a project; almost
academic. The author went on to do more with Python, such as the
BlackSheep browser that performs security testing.

> wikto
I'm not sure this is supported anymore -- it was replaced by Suru many
years ago, which itself has not been updated in some time. Many of the
search/dorking capabilities are replaced by newer tools such as

My personal recommendation is to learn the concepts in Tamper Data and
to build on webappsec knowledge in order to write your own scanner(s).
The ones that you build for yourself will always be "the best",
because you're the customer (and you know yourself and your testing
capabilities, especially test case design and test case organization
along with time management and other principles).

The commercial tools are a waste of time, money, and I'd like to say
many other bad things about them. However, both Netsparker and
WebInspect have crawlers and manual modes that can be useful in rare
circumstances -- so I add them to my toolchain, which is usually
dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler
with Casaba Watcher and x5s. However, I find many other tools useful
at times.

More information about the websecurity mailing list