Top 10 Web Application Penetration Testing Tools (actually 11)

Well this is not quite a default top ten list (based on witch one is the smarter/faster/better) but just a simple list of applications you can use
in a pentest. Free and open source app come first.
1. Arachni
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate
the security of web applications.
Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling
through the paths of a web applications cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.
Finally, Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus).
Thus, youll only be limited by the responsiveness of the server under audit and your available bandwidth.
Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping,
data-mining, etc with the addition of custom modules.
Sounds cool, right?
Features:
Helper audit methods:
For forms, links and cookies auditing.
A wide range of injection strings/input combinations.
Writing RFI, SQL injection, XSS etc modules is a matter of minutes if not seconds.
Currently available modules:
Audit:
SQL injection
Blind SQL injection using rDiff analysis
Blind SQL injection using timing attacks
CSRF detection
Code injection (PHP, Ruby, Python, JSP, ASP.NET)
Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
LDAP injection
Path traversal
Response splitting
OS command injection (*nix, Windows)
Blind OS command injection using timing attacks (*nix, Windows)

Remote file inclusion

Unvalidated redirects
XPath injection
Path XSS
URI XSS
XSS
XSS in event attributes of HTML elements
XSS in HTML tags
XSS in HTML script tags
Recon:
Allowed HTTP methods
Back-up files
Common directories
Common files
HTTP PUT
Insufficient Transport Layer Protection for password forms
WebDAV detection
HTTP TRACE detection
Credit Card number disclosure
CVS/SVN user disclosure
Private IP address disclosure
Common backdoors
.htaccess LIMIT misconfiguration
Interesting responses
HTML object grepper
E-mail address disclosure
US Social Security Number disclosure
Forceful directory listing<
Download Here | Webiste here
Free, powerfull and monthly updated!
2. OWASP Zed Attack Proxy Project
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who
are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Some of ZAPs features:
Intercepting Proxy

Automated scanner
Passive scanner
Brute Force scanner
Spider
Fuzzer
Port scanner
Dynamic SSL certificates
API
Beanshell integration
Some of ZAPs characteristics:
Easy to install (just requires java 1.6)
Ease of use a priority
Comprehensive help pages
Fully internationalized
Under active development
Open source
Free (no paid for Pro version)
Cross platform
Involvement actively encouraged
Download Here | Webiste here
3. w3af
w3af is a Web Application Attack and Audit Framework. The projects goal is to create a framework to find and exploit web application
vulnerabilities that is easy to use and extend. To read our short and long term objectives, please click over the Project Objectives item in
the main menu. This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge
project page .
The guys from backtrack (well it has connections with metasploit) included this awesome tool in their latest release.
This is only a small list of plugins that are available in w3af, you should really check out this tool.
Audit:
xsrf
htaccessMethods
sqli
sslCertificate
fileUpload
mxInjection
generic
localFileInclude
unSSL
xpath
osCommanding

remoteFileInclude
dav
ssi
eval
buffOverflow
xss
xst
blindSqli
formatString
preg_replace
globalRedirect
LDAPi
phishingVector
responseSplitting
Download here | Project here
4. Vega
Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site
Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux,
OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a
powerful API in the language of the web: Javascript.
Vega was developed by Subgraph in Montreal.
Modules
Cross Site Scripting (XSS)
SQL Injection
Directory Traversal
URL Injection
Error Detection
File Uploads
Sensitive Data Discovery
Core:
Automated Crawler and Vulnerability Scanner
Consistent UI
Website Crawler
Intercepting Proxy
SSL MITM
Content Analysis
Extensibility through a Powerful Javascript Module API

Customizable alerts
Database and Shared Data Model
Download here | Website here
5. Acunetix
You heard about this program so many times. Is it good? Well you can download the free edition and test it.
Acunetix WVS automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.
HTTP Editor Construct HTTP/HTTPS requests and analyze the web server response.
HTTP Sniffer Intercept, log and modify all HTTP/HTTPS traffic and reveal all data sent by a web application.
HTTP Fuzzer Perform sophisticated fuzzing tests to test web applications input validation and handling of
unexpected and invalid random data. Test thousands of input parameters with the easy to use rule builder of
the HTTP Fuzzer. Tests that would have taken days to perform manually can now be done in minutes.
Script your own custom web vulnerability attacks with the WVS Scripting tool. A scripting SDK documentation
is available from the Acunetix website.
Blind SQL Injector An automated database data extraction tool that is ideal for penetration testers who wish to make further tests
manually
Download here | Website here
This tool has a free version (the above link) but also an advance version (paid)
6. Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a
recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully
non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application
security assessments.
High risk flaws (potentially leading to system compromise):
Server-side SQL / PHP injection (including blind vectors, numerical parameters).
Explicit SQL-like syntax in GET or POST parameters.
Server-side shell command injection (including blind vectors).
Server-side XML / XPath injection (including blind vectors).
Format string vulnerabilities.
Integer overflow vulnerabilities.
Locations accepting HTTP PUT.
Medium risk flaws (potentially leading to data compromise):
Stored and reflected XSS vectors in document body (minimal JS XSS support present).
Stored and reflected XSS vectors via HTTP redirects.
Stored and reflected XSS vectors via HTTP header splitting.
Directory traversal / file inclusion (including constrained vectors).
Assorted file POIs (server-side sources, configs, etc).

Attacker-supplied script and CSS inclusion vectors (stored and reflected).

External untrusted script and CSS inclusion vectors.
Mixed content problems on script and CSS resources (optional).
Password forms submitting from or to non-SSL pages (optional).
Incorrect or missing MIME types on renderables.
Generic MIME types on renderables.
Incorrect or missing charsets on renderables.
Conflicting MIME / charset info on renderables.
Bad caching directives on cookie setting responses.
Download here | Project here
7. Websecurify
Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced
browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability
tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback
from an active open source community.
The built-in vulnerability scanner and analyzation engine are capable of automatically detecting many types of web application
vulnerabilities as you proceed with the penetration test. The list of automatically detected vulnerabilities include:
SQL Injection
Local and Remote File Include
Cross-site Scripting
Cross-site Request Forgery
Information Disclosure Problems
Session Security Problems
many others including all categories in the OWASP TOP 10
Download here | Project here
8. Burp
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to
support the entire testing process, from initial mapping and analysis of an applications attack surface, through to finding and exploiting
security vulnerabilities.
Burp Suite contains the following key components:
An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware spider, for crawling content and functionality.
An advanced web application scanner, for automating the detection of numerous types of vulnerability.
An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A repeater tool, for manipulating and resending individual requests.
A sequencer tool, for testing the randomness of session tokens.

The ability to save your work and resume working later.

Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.
Download here | Webiste here
Free and paid editions are available.
9. Netsparker
Netsparker will try lots of different things to confirm identified issues. If it cant confirm it and if it requires manual inspection, itll inform you
about a potential issue generally prefixed as [Possible], but if its confirmed, thats it. Its a vulnerability. You can trust it.
Netsparker confirms vulnerabilities by exploiting them in a safe manner. If a vulnerability is successfully exploited it cant be a false-positive.
Exploitation is carried out in a non-destructive way.
SQL Injection
XSS (Cross-site Scripting)
XSS (Cross-site Scripting) via Remote File Injection
XSS (Cross-site Scripting) in URLs
Local File Inclusions & Arbitrary File Reading
Remote File Inclusions
Remote Code Injection / Evaluation
OS Level Command Injection
CRLF / HTTP Header Injection / Response Splitting
Find Backup Files
Crossdomain.xml Analysis
Finds and Analyse Potential Issues in Robots.txt
Finds and Analyse Google Sitemap Files
Detect TRACE / TRACK Method Support
Detect ASP.NET Debugging
Detect ASP.NET Trace
Checks for CVS, GIT and SVN Information and Source Code Disclosure Issues
Finds PHPInfo() pages and PHPInfo() disclosure in other pages
Finds Apache Server-Status and Apache Server-Info pages
Find Hidden Resources
Basic Authentication over HTTP
Password Transmitted over HTTP
Password Form Served over HTTP
Source Code Disclosure
Auto Complete Enabled
ASP.NET ViewState Analysis
ViewState is not Signed
ViewState is not Encrypted
E-mail Address Disclosure
Internal IP Disclosure

Cookies are not marked as Secure

Cookies are not marked as HTTPOnly
Directory Listing
Stack Trace Disclosure
Version Disclosure
Access Denied Resources
Internal Path Disclosure
Programming Error Messages
Database Error Messages
Request a trial here | Website here
10. WebSurgery
WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web
application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Bruteforcer and Fuzzer for
advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), brute-force for login forms,
identification of firewall-filtered rules etc.
Download here | Webiste here
11. IBM Rational AppScan
So IBM. Yep.. IBM.
Rational AppScan has 8 versions. Yes. 8. Source, Standard, Enterprise, Reporting Console, Build, Tester Express, OnDemand. Dont think
that its the last on my list its the worst web app scanner. (Reporting Console is just a reporting console so that makes it only 7 versions :p )
Here is what they are saying:
IBM Rational AppScan is an industry leading web application security testing tool that scans and tests for all common web application
vulnerabilities including those identified in the WASC threat classification such as SQL-Injection, Cross-site Scripting and Buffer
Overflow.
Provides broad application coverage, including Web 2.0/Ajax applications
Generates advanced remediation capabilities including a comprehensive task list to ease vulnerability remediation
Simplifies security testing for non-security professionals by building scanning intelligence directly into the application
Features over 40 out-of-the-box compliance reports including PCI Data Security Standards, ISO 17799, ISO 27001, Basel II, SB 1386 and
PABP (Payment Application Best Practices)
Support for next generation Web applications including the ability to scan complex Java and Adobe Flash-based sights for both traditional
Web vulnerabilities as well as technology specific threats such as Cross-site Flashing threats
Enhanced support for Web Services with the ability to interact with Mega Script, Encoded URLs, and Web Portals utilizing widget-based
pages
Simplified scan results through the new Results Expert wizard, further simplifying the process of interpreting scan results through scanspecific descriptions and straight forward explanations of each issue
Other Enhancements including IPv6 support, expanded language support, new scan templates, and performance improvements

Download a trial here (requires a site account) | Website here

Well this is my top 11 list of web application penetration testing tools. It has 11 items but the last one is a bit expensive so thats why ten
(and SEO reasons :)) )
If i forgot one please do comment.
Thanks