Acunetix Web Vulnerability Scanner
Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. Acunetix WVS boasts a comfortable GUI and an ability to create professional website security audit reports.
http://www.acunetix.com/
|
|
ISS Internet Scanner
Internet Scanner started off in '92 as a tiny open source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products.
http://www.iss.net/products_services/enterprise_protection/vulnerability_assessment/scanner_internet.php
|
|
Max Patrol
While MaxPatrols operates within Microsoft Windows for ease of use, its testing engine can test for possible vulnerabilities in any software or hardware platform: from Windows workstations to Cisco networks (*nix, Solaris, Novell, AS400, etc.) making MaxPatrol the most flexible Security Scanner Available.
http://maxpatrol.com/
|
|
N-Stealth
N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of "30,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components.
http://www.nstalker.com/nstealth/
|
|
Nessus
Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated, with more than 11,000 plugins for the free (but registration and EULA-acceptance required) feed. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.
http://www.nessus.org/
|
|
Nikto
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality.
http://www.cirt.net/code/nikto.shtml
|
|
QualysGuard
Delivered as a service over the Web, QualysGuard eliminates the burden of deploying, maintaining, and updating vulnerability management software or implementing ad-hoc security applications. Clients securely access QualysGuard through an easy-to-use Web interface. QualysGuard features 5,000+ unique vulnerability checks, an Inference-based scanning engine, and automated daily updates to the QualysGuard vulnerability KnowledgeBase.
http://www.qualys.com/
|
|
Retina
Like Nessus, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found. It was written by eEye, who are well known for their security research.
http://www.eeye.com/html/Products/Retina/index.html
|
|
Sara
SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).
http://www-arc.com/sara/
|
|
SCARE
The SCARE analysis tool is run against source code. Currently only C code is supported. The ouput file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at isecom.org/ravs.
http://www.isecom.org/scare
|
|
SCRT Webshag
Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.
http://www.scrt.ch/pages_en/outils.html
|
|
SSA - Security System Analyzer
SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.
http://www.security-database.com/ssa.php
|
|
Watchfire Appscan
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more.
http://www.watchfire.com/products/appscan/default.aspx
|
|
WebInspect
SPI Dynamics' WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
http://www.spidynamics.com/products/webinspect/
|
|
Whisker
Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
http://www.wiretrip.net/rfp/
|
|
Wikto
Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
http://www.sensepost.com/research/wikto/
|
|
X-scan
A multi-threaded, plug-in-supported vulnerability scanner. X-Scan includes many features, including full NASL support, detecting service types, remote OS type/version detection, weak user/password pairs, and more. You may be able to find newer versions available here if you can deal with most of the page being written in Chinese.
http://www.xfocus.net/tools/200507/1057.html
|
|
|
