10+ Free Web Application Security Testing Tools

Websites are getting more and more complex everyday and there are almost no static websites being built.

Security GuyToday, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.

Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.

So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.

Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).

Netsparker Community Edition (Windows)

Netsparker Community Edition

This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.

The application can detect SQL Injection + cross-site scripting issues.

Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.

Websecurify (Windows, Linux, Mac OS X)


Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

It can create simple reports (that can be exported into multiple formats) once ran.

The tool is also multilingual and extensible with the add-on support.

Wapiti (Windows, Linux, Mac OS X)


Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data.

It is built with Python and can detect:

  • File handling errors (Local and remote include/require, fopen, readfile…)
  • Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation…)
  • Command execution detection (eval(), system(), passtru()…)

N-Stalker Free Version (Windows)

N-Stalker Free Version

The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.

It can check up to 100 web pages at once including web server and cross-site scripting checks.

skipfish (Windows, Linux, Mac OS X)


skipfish is a fully automated and active web application security reconnaissance tool.

It is lightweight and pretty fast (can perform 2000 requests/second).

The application has automatic learning capabilities, on-the-fly wordlist creation and form autocompletion.

skipfish comes with low false positive, differential security checks which are capable of spotting a range of subtle flaws, including blind injection vectors.

Scrawlr (Windows)


Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.

It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

Watcher (Windows)


It is a plugin for Fiddler (the awesome HTTP debugging proxy) and works as a passive-analysis tool for HTTP-based web applications.

Watcher runs silently in the background and interact with the web-application to apply 30+ tests (where new ones can be added) while you browse.

It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.

x5s (Windows)


x5s is again a plugin for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability.

It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.

Exploit-Me (Windows, Linux, Mac OS X)


Rather than using a proxy like most of the security testing tools, Exploit-Me directly integrates into Firefox.

It is a set of 3 add-ons:

  • XSS-Me: for testing reflected XSS vulnerabilities
  • SQL Inject Me: for testing SQL injection vulnerabilities
  • Access-Me: for testing access vulnerabilities

They are all lightweight , work while you browse websites and simply inform you by adding extra styles to the objects with vulnerabilities

WebScarab (Windows, Linux, Mac OS X)


WebScarab is actually a proxy to sniff the HTTP(s) traffic and manipulate it.

However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and more.

Acunetix Free Version (Windows)


This is the free and limited-featured version of a paid/pro product.

It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities.


  • dude Thanks for the killer links
    I before now I have used acunetix pay/pro
    So I will give the other tools a try 😉

  • sbb

    really nice tools.

    gives an idea at least

  • froks

    Netsparker is great!!!!

  • http://freetrustseal.com checks your site or any site for free and allows you to put a Free Trust Seal on your site to show its safe

  • Armando Flores Ibarra

    Thank you very much for this useful post !!!

  • noodle-fan

    you must enter your data when downloading n-stalker 🙁

  • awesome list, that is very helpful. Thanks.

  • p-Landmine

    http://www.german-websecurity.com offers you a free online security scan, which shows you what type of vulnerabilities you got.

    If your website does not contain any vulnerabilities you get a certificate.

  • Smith

    WebCruiser – Web Vulnerability Scanner Free Edition

    WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool! It has a Crawler and Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc. ).

    It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also a SQL Injector, a XPath Injector , and a Cross Site Scripting tool!

    * Crawler(Site Directories And Files);
    * Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
    * POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
    * GET/Post/Cookie Injection;
    * SQL Server: PlainText/FieldEcho(Union)/Blind Injection;
    * MySQL/Oracle/DB2/Access: FieldEcho(Union)/Blind Injection;
    * Administration Entrance Search;
    * Time Delay For Search Injection;
    * Auto Get Cookie From Web Browser For Authentication;
    * Report Output.


  • Vitthal

    in one word AWESOME!!!!!!!!!

  • Thanks for sharing
    the information this saved my time.

  • Prashant

    Could you suggest a tool for security testing for site developed in Coldfusion?

  • Wow. Thanks for the links!

  • Mushahid

    The information about the tools are awesome…

  • Useful

    This is the first “X something about the web” post I’ve Stumbled upon that I actually like because…it is actually useful! Most of the Stumbles I come across say something like, “150 lists of lists of Photoshop tutorials” or “30 Best Ever jQuery plugins.” If I want to find those lame things, I’ll use Google. I’ve used Google to try to find actual security tools like these and it is not easy! I knew about skipfish but none of the others.

  • victor alemany

    Great list of tools. Very helpful. Thanks.

  • Amarjeet Chavhan

    Thanks for such a Great Sharing …
    Was struggling for SQL Injection & XSS testing…

    This tools will pull me out from my problem…

  • Kanchan

    Great there are so many tools available ..

  • I’ve been trying Wapiti but it has been 2 years since the last update and a bit buggy.
    Currently running Websecurify and looks neat.
    Great list!

  • jin

    This is a great list of tools. Very helpful.
    Any suggestion on which is the best to use for DDos 7 attacks for a demo session?

  • One of the most useful posts for every website builders. I also use some of the tools from the above to find out the vulnerabilities on the small websites that developed by me. Thanks to Web Resources Depot for sharing this post.

  • Kim Miller

    Could you please suggest a good free security testing tool that will work well with Oracle

  • Great there are so many tools available thanks

  • Vivek

    as discussed above, i tried with WebCruiser , check site button in this, doesnot work. As reason , why it is not checking ?

  • We have been using Netsparker for quiet some time and I think it is a great tool for security testing.