Awesome
open-source-web-scanners
A list of open source web security scanners on GitHub and GitLab, ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below.
Note that some large projects have multiple repos - in which case the second most relevant repo is included immediately after and is indented.
General Purpose Web Scanners
Tools which can find a range of 'unknown' vulnerabilities on any websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| ZAP |  |  |  |
| - ZAP Extensions |  |  |  |
| Hetty |  |  |  |
| W3af |  |  |  |
| Arachni |  |  |  |
| Astra |  |  |  |
| Wapiti |  |  |  |
| Skipfish |  |  |  |
| Sitadel |  |  |  |
| Taipan |  |  |  |
| Vega |  |  |  |
| Reaper |  |  |  |
| BrowserBruter |  |  |  |
| Tuplar |  |  |  |
| Ugly-duckling |  |  |  |
| Jawfish |  |  |  |
| Pākiki |  |  |  |
| Browserker |  |  |  |
Infrastructure Web Scanners
Tools which can find a range of 'known' vulnerabilities on any websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Nuclei |  |  |  |
| - Nuclei Templates |  |  |  |
| Xray |  |  |  |
| Tsunami |  |  |  |
| Nikto |  |  |  |
| Striker |  |  |  |
| Jaeles |  |  |  |
| - Jaeles-Signatures |  |  |  |
| Yasuo |  |  |  |
| Observatory |  |  |  |
| Spaghetti |  |  |  |
Fuzzers / Brute Forcers
Tools which focus on throwing 'bad stuff' at things - the user typically has to work out if it sticks.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| dirsearch |  |  |  |
| Ffuf |  |  |  |
| gobuster |  |  |  |
| Wfuzz |  |  |  |
| feroxbuster |  |  |  |
| rustbusterv |  |  |  |
| vaf |  |  |  |
| radamsa |  |  |  |
| BrowserBruter | | | |
CMS Web Scanners
Tools which can find a range of 'known' vulnerabilities on one or more CMS websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| WPscan |  |  |  |
| Volnx |  |  |  |
| Droopescan |  |  |  |
| CMSScan |  |  |  |
| JoomScan |  |  |  |
| Clusterd |  |  |  |
API Web Scanners
Tools which focus on web APIs.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Cherrybomb |  |  |  |
| Akto |  |  |  |
| Automatic API Attack Tool |  |  |  |
| VulnAPI |  |  |  |
Specialised Scanners
Tools which focus on specific types of vulnerabilities.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Sqlmap |  |  |  |
| XSStrike |  |  |  |
| Commix |  |  |  |
| Tplmap |  |  |  |
| Dalfox |  |  |  |
| Fuxploider |  |  |  |
| Ghauri |  |  |  |
| NoSQLMap |  |  |  |
| Xsscrapy |  |  |  |
| XSpear |  |  |  |
| Gxss |  |  |  |
| Domdig |  |  |  |
| CakeFuzzer |  |  |  |
| Takeover |  |  |  |
| LFIscanner |  |  |  |
| YA-LFI |  |  |  |
| YA-CORS |  |  |  |
Links
- Free for Open Source Application Security Tools - includes commercial tools as well
- Vulnerability Scanning Tools - covers more tools, includes commercial tools as well
- Linux Security Tools - covers more tools and evaluates more criteria
- Web Hackers Weapons - covers more tools
- Arsenal of cloud native security tools
Contribute
PR's welcomed.
Template line for GitHub projects (replace USER_REPO):
| []() | [](https://github.com/USER_REPO/commits) | [](https://github.com/USER_REPO/graphs/contributors) | [](https://github.com/USER_REPO/stargazers) |
Template line for GitLab projects (replace USER_REPO):
| []() | [](https://gitlab.com/USER_REPO/-/commits/master) | [](https://gitlab.com/USER_REPO/-/graphs/master) | [](https://gitlab.com/USER_REPO/-/starrers) |