A list of open source web security scanners on GitHub and GitLab (just added), ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below.
Note that some large projects have multiple repos - in which case the second most relevant repo is included immediately after.
Tools which can find a range of 'unknown' vulnerabilities on any websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
ZAP | |||
- ZAP Extensions | |||
W3af | |||
Hetty | |||
Arachni | |||
Astra | |||
Skipfish | |||
Sitadel | |||
Taipan | |||
Vega | |||
Wapiti | |||
Tuplar | |||
Ugly-duckling | |||
Jawfish | |||
Browserker |
Tools which can find a range of 'known' vulnerabilities on any websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Nuclei | |||
- Nuclei Templates | |||
Tsunami | |||
Nikto | |||
Striker | |||
Jaeles | |||
- Jaeles-Signatures | |||
Yasuo | |||
Observatory | |||
Spaghetti |
Tools which focus on throwing 'bad stuff' at things - the user typically has to work out if it sticks.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
dirsearch | |||
Ffuf | |||
gobuster | |||
Wfuzz | |||
feroxbuster | |||
rustbusterv | |||
vaf |
Tools which can find a range of 'known' vulnerabilities on one or more CMS websites.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
WPscan | |||
Volnx | |||
Droopescan | |||
CMSScan | |||
JoomScan | |||
Clusterd |
Tools which focus on web APIs.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Automatic API Attack Tool | |||
Cherrybomb |
Tools which focus on finding subdomains of a domain using various methods.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
github-subdomains | |||
Amass |
Tools which focus on specific types of vulnerabilities.
Main Site | Last Commit | Committers | Stars |
---|---|---|---|
Sqlmap | |||
Comix | |||
Xsscrapy |
Tools which focus on specific types of vulnerabilities.
Main Site | Last Commit | Committers | Stars | Desc |
---|---|---|---|---|
qsreplace | Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path. |
- Free for Open Source Application Security Tools - includes commercial tools as well
- Vulnerability Scanning Tools - covers more tools, includes commercial tools as well
- Linux Security Tools - covers more tools and evaluates more criteria
- Web Hackers Weapons - covers more tools
- Arsenal of cloud native security tools
PR's welcomed.
Template line for GitHub projects (replace USER_REPO):
| []() | [![Last Commit](https://img.shields.io/github/last-commit/USER_REPO)](https://github.com/USER_REPO/commits) | [![Contributors](https://img.shields.io/github/contributors/USER_REPO)](https://github.com/USER_REPO/graphs/contributors) | [![Stars](https://img.shields.io/github/stars/USER_REPO)](https://github.com/USER_REPO/stargazers) |
Template line for GitLab projects (replace USER_REPO):
| []() | [![Last Commit](https://badgen.net/gitlab/last-commit/USER_REPO)](https://gitlab.com/USER_REPO/-/commits/master) | [![Contributors](https://badgen.net/gitlab/contributors/USER_REPO/)](https://gitlab.com/USER_REPO/-/graphs/master) | [![Stars](https://badgen.net/gitlab/stars/USER_REPO/)](https://gitlab.com/USER_REPO/-/starrers) |