Cybersecurity

41 Open-source and Free Vulnerability Scanners For Pentesting and Web App Security

Hazem Abbas

Nov 2, 2023 — 26 min read

Photo by Nahel Abdul Hadi / Unsplash

Vulnerability scanners are software applications that monitor systems for potential security threats. These tools scan your network and systems for vulnerabilities that could be exploited by hackers. They check for unpatched software, insecure system configurations, and other weaknesses.

Vulnerability Scanners for Web Apps

Web application vulnerability scanners, specifically, are designed to scan web applications for vulnerabilities such as SQL injection, cross-site scripting (XSS), and path traversal vulnerabilities.

They are important because they automate the process of checking web applications for security vulnerabilities, which can be a time-consuming and complex task. By identifying vulnerabilities early, organizations can address them before they are exploited by hackers.

Vulnerability scanners are particularly crucial in maintaining compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation). These regulations require organizations to take adequate measures to protect sensitive data like healthcare and personal information. By identifying and addressing vulnerabilities, businesses can ensure they are not inadvertently exposing such sensitive data.

For Enterprise

In an enterprise setting, vulnerability scanners are pivotal. They help maintain the security of large networks with numerous connected devices.

They can monitor these networks continuously, providing regular updates about potential vulnerabilities and helping enterprises to stay ahead of potential security threats.

The ability to scan on a schedule, or continuously, ensures that new vulnerabilities are identified as soon as possible, reducing the window of opportunity for attackers. They also provide detailed reports, which can help in auditing and demonstrating compliance with various security standards.

In this post, we offer you the best open-source Vulnerability Scanners

1- vMass Bot

vMass Bot is an open-source and free tool that automates the exploitation of remote hosts by finding environment files, extracting tools and information, detecting the target's CMS, and attempting to auto-exploit and upload shell payload.

It can generate host lists from various sources if no target list is provided. Extracted tools can be filtered and tested, and the bot can also use hosts with phpmyadmin access for auto upload if CMS exploits fail. Results can be delivered to a Telegram channel, and the entire process can be automated using the AUTOPILOT option.

2- Vuls: VULnerability Scanner

Vuls is an open-source, agent-less vulnerability scanner for various operating systems and environments. It helps system administrators by automatically detecting vulnerabilities, informing about affected servers, and generating regular reports.

It supports major Linux, FreeBSD, Windows, macOS systems, and can be used in cloud, on-premise, and Docker container environments.

It also enables DevOps to scan containers, and and provide nondestructive testing for all.

Vuls also include a strong suite to test WordPress, and its plugins and themes.

3- VulnX

Vulnx is an intelligent bot that can automatically inject shells and detect security vulnerabilities in CMS systems. It can perform quick CMS security detection, information collection, and vulnerability scanning. Unlike other tools that require manual shell injection, Vulnx analyzes the target website for vulnerabilities and injects the shell if a vulnerability is detected.

Features

Detects cms (WordPress, Joomla, PrestaShop, Drupal, opencart, Magento, lokomedia)
Target information gatherings
Target Subdomains gathering
Multi-threading on demand
Checks for vulnerabilities
Auto shell injector
Exploit dork searcher
Ports Scan High Level
Dns-Servers Dump
Input multiple target to scan.
Dorks Listing by Name by ExploitName.
Export multiple target from Dorks into a logfile.

4- XAttacker

XATTACKER is a comprehensive tool for scanning and automatically exploiting vulnerabilities in web applications. It can detect a website's architecture, identify vulnerabilities based on the detected Content Management System (CMS), generate an exploit, and send the user the exploit link.

Features include a vulnerability scanner, auto-exploiting, CMS attacking, dork search with multiple search engines, and plain text reporting.

Supported CMS solutions

Joomla
WordPress
Prestashop
Drupal
Lokomedia

Supported systems

Android
Linux
Windows
macOS

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.

GitHub

5- Commix

Commix (short for [comm]and [i]njection e[x]ploiter) is a powerful, user-friendly, and versatile open-source tool designed for penetration testing. Developed by Anastasios Stasinopoulos, it automates the detection and exploitation of command injection vulnerabilities in web applications. It's portable, modular, and compatible with various systems, platforms, CMS, and web applications, making it a crucial tool for security testing.

6- KILLSHOT

KillShot is a penetration testing framework, an information-gathering tool, and a website vulnerability scanner.

KillShot allows you to spider your website, gather important information automatically, and identify vulnerabilities. Key features include:

Information gathering using whatweb-host-traceroute-dig-fierce-wafw00f
CMS identification and vulnerability detection via Cms Exploit Scanner and WebApp Vul Scanner
Automatic scanning using Nmap and Unicorn
Backdoor generation with simple PHP backdoors for manual upload and connection to the target

KillShot also includes a simple Ruby fuzzer that has been tested on VULSERV.exe, and a Linux log clear script to change the content of login paths. Spider can help you identify site parameters and scan for XSS and SQL vulnerabilities.

Other scanning capabilities include:

Port scanning
App scanning
Shell scanning

7- PatrOwl

PatrowlHears is a real-time Vulnerability Intelligence platform that provides CVE, exploits, and threat news. It is part of Patrowl's suite of open-source security operations and threat intelligence solutions. Developed in Python, it uses Django for the backend and Vue.js + Vuetify for the frontend, with RabbitMQ and Celery supporting asynchronous tasks and engine scalability. It can be accessed via the embedded web interface or the REST-API.

8- XAttacker Tool

The X Attacker Tool ☣ is a modified version of the original X Attacker, designed to scan websites for vulnerabilities and automatically exploit them.

This tool is useful for assessing the security of your website by identifying any potential vulnerabilities. It can also be used to gain access to shells, send files, deface websites, control panels, and databases.

It's capable of detecting security issues within CMS, as well as numerous vulnerabilities in systems such as WordPress, Joomla, and others.

9- Fox Ex v2

{Fox Ex v2} tool is a free and open-source solution that is designed for hacking tests. It exploits vulnerabilities and backdoors discovered recently, with the ability to upload shell +50 exploit and get +3000 shell in 2 minutes.

10- RVuln

RVuln is a multithreaded vulnerability scanner written in Rust that scans for XSS vulnerabilities. It is compatible with Ubuntu/Debian based OS, Arch Linux based OS, and Windows 10.

11- wsltools - Web Scan Lazy Tools

wsltools is an elegant and simple Web Scan auxiliary library for Python.

wsltools: Web Scan Lazy Tools — wsltools documentation

12- OWASP ASST

(Automated Software Security Toolkit)

ASST (Automated Software Security Toolkit) is an open-source, CLI application developed with JavaScript (Node.js framework) for scanning source code.

Currently, it focuses on PHP and MySQL languages, but its core functionalities are designed for contributions from programmers to add plugins or extensions for other languages and their frameworks. ASST is unique in that it scans PHP language according to OWASP Top 10 Web Application Security Risks.

13- Phaser

Phaser is an exceptional, high-performance attack surface mapper and vulnerability scanner. Give it a target, and it will confidently generate a comprehensive report with every detail it discovers, effectively saving you countless hours of manual audit and eliminating the need to juggle multiple tools.

14- TechViper

TechViper is a web security scanner that identifies vulnerabilities in web applications. It provides detailed security assessments and helps improve the security of web applications by detecting issues such as Remote Code Execution, Reflected XSS, Template Injection, and SQL Injection.

Supported systems

Kali Linux
Android
Windows

15- Himawari

Himawari is an open-source free Web Vulnerability Scanner written in Golang.

16- VulnScanX

VulnScanX v2.0 is a command-line application that helps identify vulnerabilities in web applications, focusing on Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). Key features include testing for various types of vulnerabilities, multithreading support, automated link crawling and testing, logging of results, an improved user interface, and enhanced payload file import.

Features

Reflected XSS Testing
DOM-based XSS Testing
SQL Injection Testing
Remote Code Execution Testing
Server-Side Template Injection Testing
Open Redirection Testing
Multithreading Support
Automated Link Crawling and Testing
Results Logging
Improved User Interface
Efficient Payload File Import

17- Enlightn Security Checker

A PHP dependency vulnerabilities scanner based on the Security Advisories Database.

18- Tools for Finding Bugs and Vulnerabilities

This repo includes a dozen of a free and open-source tools to search and discover web app bugs and vulnerabilities.

19- RapidScan

RapidScan is a multi-tool web vulnerability scanner that executes various security scanning tools, checks for vulnerabilities, and provides spontaneous results. It is light-weight, time-efficient, and helps to identify false positives. It offers vulnerability definitions and remediation advice. Features under development include association with OWASP Top 10 & CWE 25, artificial intelligence for tool deployment, detailed reports in PDF format, and on-the-run Metasploit auxiliary modules.

Features

one-step installation.
executes a multitude of security scanning tools, does other custom coded checks and prints the results spontaneously.
some of the tools include nmap, dnsrecon, wafw00f, uniscan, sslyze, fierce, lbd, theharvester, amass, nikto etc executes under one entity.
saves a lot of time, indeed a lot time!.
checks for same vulnerabilities with multiple tools to help you zero-in on false positives effectively.
extremely light-weight and not process intensive.
legends to help you understand which tests may take longer time, so you can Ctrl+C to skip if needed.
association with OWASP Top 10 & CWE 25 on the list of vulnerabilities discovered. (under development)
critical, high, medium, low and informational classification of vulnerabilities.
vulnerability definitions guides you what the vulnerability actually is and the threat it can pose.
remediation tells you how to plug/fix the found vulnerability.
executive summary gives you an overall context of the scan performed with critical, high, low and informational issues discovered.
artificial intelligence to deploy tools automatically depending upon the issues found. for eg; automates the launch of wpscan and plecost tools when a wordpress installation is found. (under development)
detailed comprehensive report in a portable document format (*.pdf) with complete details of the scans and tools used. (under development)
on the run metasploit auxilliary modules to discover more vulnerabilities. (under development)

20- afrog

afrog is a high-performance security tool for bug bounty, pentesting, and red teaming. It features a fast, stable vulnerability scanner with low false positives, customizable PoCs, and detailed HTML vulnerability reports. afrog supports user-defined PoC and has several built-in types. It is open-source and has an active community exchange group.

21- Threat-Patrol

Threat-Patrol is a Python script that scans websites for potential vulnerabilities including SQL injection, XSS, CSRF, SSRF, LFI and RCE. It is user-friendly, provides instant results, automatically scans for vulnerabilities, and offers a simple command line interface.

22- w4af

w4af is an open-source web application security scanner, originally based on w3af, that helps identify and exploit vulnerabilities in web applications. It is currently in an early alpha development phase and user experience and bug reports are welcomed, but no warranties are made about the software as it is still a work in progress.

23- Damn Web Scanner

The Damn Web Scanner is a web vulnerabilities scanner extension for Chrome and Opera. It scans for SQL Injection, Cross Site Scripting, Local File Inclusion, and Remote Commands Execution. It can detect server status, list vulnerabilities, reuse cookies and user-agents for cookie-authenticated pages, export vulnerabilities into a CSV file, and launch scans when a form is submitted or a page is opened via the URL bar.

Currently it scans for:

SQL Injection : Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
Cross Site Scripting : Using a browser simulator (Ghost)
Local File Inclusion
Remote Commands Execution using polyglot vectors based on time

All the features are:

Detect if the server is up with a "/ping" request
New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
Basic page to list the vulnerabilities URL and TYPE
Re-use your cookies and user-agent to get access to page with cookie-authentication
Export vulnerabilities into a CSV file
Launch scan when a form is submitted or a page is opened via the URL bar

24- Nuclei

Nuclei is a fast, customizable vulnerability scanner that sends requests across targets based on a template. It provides zero false positives and can scan a large number of hosts. Nuclei supports various protocols and can model all kinds of security checks thanks to its powerful and flexible templating.

25- Raccoon

Raccoon is a high-performance offensive security tool for reconnaissance and vulnerability scanning. It provides DNS details, WHOIS information, TLS data, port scanning, services and scripts scanning, URL fuzzing, subdomain enumeration, web application data retrieval, WAF detection, and supports anonymous routing. It uses asyncio for improved performance and saves output to files.

Features

DNS details
DNS visual mapping using DNS dumpster
WHOIS information
TLS Data - supported ciphers, TLS versions, certificate details and SANs
Port Scan
Services and scripts scan
URL fuzzing and dir/file detection
Subdomain enumeration - uses Google dorking, DNS dumpster queries, SAN discovery and bruteforce
Web application data retrieval:
- CMS detection
- Web server info and X-Powered-By
- robots.txt and sitemap extraction
- Cookie inspection
- Extracts all fuzzable URLs
- Discovers HTML forms
- Retrieves all Email addresses
- Scans target for vulnerable S3 buckets and enumerates them for sensitive files
Detects known WAFs
Supports anonymous routing through Tor/Proxies
Uses asyncio for improved performance
Saves output to files - separates targets by folders and modules by files

26- Fuxploider

Fuxploider is an unrivaled, open-source penetration testing tool that masterfully automates the process of detecting and exploiting file upload form flaws. With a unique ability to discern the file types allowed for upload, it adeptly determines the most effective technique to upload web shells or any malicious file onto the targeted web server.

27- OWASP Nettacker

The OWASP Nettacker project is a free open-source tool designed to automate information gathering, vulnerability scanning, and report generation for networks. This includes identifying services, bugs, vulnerabilities, misconfigurations, and other relevant information. This software will use TCP SYN, ACK, ICMP, and many other protocols to detect and bypass Firewall/IDS/IPS devices. Utilizing a unique method in OWASP Nettacker, it can discover protected services and devices such as SCADA, giving it a competitive edge over other scanners and making it one of the best.

OWASP IoT Scanner

Python Multi Thread & Multi Process Network Information Gathering Vulnerability Scanner
Service and Device Detection ( SCADA, Restricted Areas, Routers, HTTP Servers, Logins and Authentications, None-Indexed HTTP, Paradox System, Cameras, Firewalls, UTM, WebMails, VPN, RDP, SSH, FTP, TELNET Services, Proxy Servers and Many Devices like Juniper, Cisco, Switches and many more… )
Asset Discovery & Network Service Analysis
Services Brute Force Testing
Services Vulnerability Testing
HTTP/HTTPS Crawling, Fuzzing, Information Gathering and …
HTML, JSON, CSV and Text Outputs
API & WebUI
This project is at the moment in research and development phase
Thanks to Google Summer of Code Initiative and all the students who contributed to this project during their summer breaks:

28- EMBA

EMBA is a firmware analysis tool designed for penetration testers and product security teams. It supports the entire security analysis process, from firmware extraction to static and dynamic analysis, and generates a web report. EMBA identifies potential vulnerabilities in firmware, such as insecure binaries, outdated software components, vulnerable scripts, or hard-coded passwords. It provides comprehensive information about the firmware, allowing testers to decide on focus areas and interpret the results.

29- CRLFuzz

CRLFuzz is a free, open-source tool written in Go, designed for fast scanning of CRLF vulnerabilities.

30- Jackhammer

Jackhammer is a collaboration tool designed to bridge the gap between security, development, and QA teams. It performs static and dynamic code analysis, identifies security vulnerabilities, and helps manage these vulnerabilities in an era of continuous integration and deployment.

It operates on Role Based Access Control (RBAC) and features dashboards for individual and team scans. Jackhammer is built on a pluggable architecture, allowing integration with any open source or commercial tool, and uses the OWASP pipeline project to run multiple tools against your code, web app, mobile app, CMS, or network.

Key Features:

Provides unified interface to collaborate on findings
Scanning (code) can be done for all code management repositories
Scheduling of scans based on intervals # daily, weekly, monthly
Advanced false positive filtering
Publish vulnerabilities to bug tracking systems
Keep a tab on statistics and vulnerability trends in your applications
Integrates with majority of open source and commercial scanning tools
Users and Roles management giving greater control
Configurable severity levels on list of findings across the applications
Built-in vulnerability status progression
Easy to use filters to review targeted sets from tons of vulnerabilities
Asynchronous scanning (via sidekiq) that scale
Seamless Vulnerability Management
Track statistics and graph security trends in your applications
Easily integrates with a variety of open source, commercial and custom scanning tools

31- Mageni

Mageni is a cross-platform, open-source vulnerability management platform that offers a range of features including assets, services, ports, applications, rogue device, and shadow IT discovery. It also provides vulnerability scanning, assessment, reporting, remediation, prioritization, and validation, as well as security audits, IoT, OT, and SCADA security testing, and hardening testing. It aids in addressing vulnerabilities for compliance with various standards like PCI DSS, NIST, HIPAA, ISO, NERC, FISMA, and NIS.

32- FazScan

FazScan is a Perl program designed for vulnerability scanning and pentesting, offering 18 options. These include various vulnerability scanners for SQL injection and common web vulnerabilities, automated CMS detectors and vulnerability scanners for multiple CMS platforms, an information gathering kit, a CloudFlare WAF protection bypasser, a dork scanner, an automated open port scanner, a denial of service attack feature, and an admin page detector.

33- Trivy

Trivy is a versatile security scanner that can scan a variety of targets, including container images, filesystems, git repositories, virtual machine images, Kubernetes, and AWS. It can detect issues such as OS packages and software dependencies in use, known vulnerabilities, IaC issues and misconfigurations, sensitive information and secrets, and software licenses. Trivy supports most popular programming languages, operating systems, and platforms.

34- Scanners Box

Scanners Box, also known as scanbox, stands as a formidable hacker toolkit, aggregating open source scanners from Github across more than 10 categories. This includes scanners for subdomains, databases, middleware and more, all with a modular design. However, it's worth noting that other renowned scanning tools like nmap, w3af, brakeman, arachni, nikto, metasploit, aircrack-ng are not included in our collection.

35- MagicRecon

MagicRecon is a shell script designed to streamline the process of data collection and vulnerability detection. It organizes results in various formats and directories, and its features include subdomain enumeration, live domain checking, whois and DNS information retrieval, technology extraction, certificate information, screenshot taking, email and user searching, public resource enumeration in AWS, Azure, and Google Cloud, GitHub Dorks information searching, robots.txt file entry checking, endpoint retrieving, parameter and port scanning, dirsearch, 403 HTTP status code bypass checking, massive recon and vulnerability scanning via Nuclei, and missing security header searching.

36- OSV-Scanner

OSV-Scanner is a tool that identifies vulnerabilities in a project's dependencies by connecting to the open-source OSV database. It offers advantages over closed-source databases and scanners, including advisories from open and authoritative sources, the ability for anyone to suggest improvements, and a machine-readable format that precisely maps onto a developer's list of packages.

37- Wapiti - Web Vulnerability Scanner

Wapiti is a Python-based web vulnerability scanner that supports various protocols and features. It operates as a "black-box" scanner, functioning like a fuzzer rather than studying source code. It scans web application pages, extracts links and forms, sends payloads, and looks for error messages or abnormal behaviors.

38- Collector

Collector is an intelligent automated tool that uses the Wayback Machine to find every vulnerable parameter. Its main features include finding XSS vulnerable parameters, crawling entire websites to collect every URL, advanced error handling, and collecting GET parameters.

39- Subdover

Subdover is a Python3-based, multithreaded subdomain takeover vulnerability scanner with over 88 fingerprints of potentially vulnerable services. It uses a CNAME record for verification and includes built-in subdomain enumeration and HTTP probing. Features include scanning from a subdomain list, testing single targets, customizable thread numbers, result saving in TXT format, clean output, OS independence, and an auto command line updater.

40- Tsunami

Tsunami is a versatile network security scanner that uses an extensible plugin system to detect high-risk vulnerabilities with high confidence. All publicly available Tsunami plugins are hosted in a separate repository.

41- Th3_Monster Tool 2.5

Th3_Monster Tool 2.5 ☣ is an open-source website vulnerability scanner and automatic exploitation bot ☣ .

Vulnerability Scanners for Web Apps

Vulnerability Scanners for HIPAA and GDPR Compliance

For Enterprise

1- vMass Bot

2- Vuls: VULnerability Scanner

3- VulnX

Features

4- XAttacker

Supported CMS solutions

Supported systems

5- Commix

6- KILLSHOT

7- PatrOwl

8- XAttacker Tool

9- Fox Ex v2

10- RVuln

11- wsltools - Web Scan Lazy Tools

12- OWASP ASST

(Automated Software Security Toolkit)

13- Phaser

14- TechViper

Supported systems

15- Himawari

16- VulnScanX

Features

17- Enlightn Security Checker

18- Tools for Finding Bugs and Vulnerabilities

19- RapidScan

Features

20- afrog

21- Threat-Patrol

22- w4af

23- Damn Web Scanner

24- Nuclei

25- Raccoon

Features

26- Fuxploider

27- OWASP Nettacker

28- EMBA

29- CRLFuzz

30- Jackhammer

Key Features:

31- Mageni

32- FazScan

33- Trivy

34- Scanners Box

35- MagicRecon

36- OSV-Scanner

37- Wapiti - Web Vulnerability Scanner

38- Collector

39- Subdover

40- Tsunami

41- Th3_Monster Tool 2.5

Read More Articles in Cybersecurity

Doctor Dok: A Promising Open-Source (MIT) Solution for Centralized Personal Medical Records (PHR)

Why You Should Scan Your Android for Malware Apps

The Ghimob Malware Nightmare for Android Users: Will It Return? How to Safeguard Against Similar Threats

PiVPN - Turn Raspberry Pi into a Fully Functional VPN Server for More Privacy

14 Free Open-source IP-Camera RTSP Viewer and Player for Windows Systems

ThePwnPal - Turn Raspberry Pi into a Portable Pentesting and Hacking Suite

Articles

Systems

Development

Apps

Science - Healthcare

Open-source Apps

Medical Apps

Lists

Dev. Resources