Web Testing

Exploit vulnerabilities on Web Applications.

35 listed tools Last update on 2025-06-12

Up a Level Contribute

Cyber Kill Chain

Recon: Information gathering stage, where attackers gather as much information as possible about the target.

Weaponization: Crafting of tools or payloads to exploit vulnerabilities.

Delivery: The transmission of the weaponized payload to the target.

Exploitation: Exploiting a vulnerability to gain access to the target system.

Installation: Establishing a foothold on the target system.

Command & Control (C2): Setting up channels for communication with the compromised system.

Actions on Objectives: Achieving the intended goal of the attack, such as data exfiltration or system disruption.

ActiveScan++ (Burp Addon) 

Open-source    

Active & passive scanning extending basic capabilities

Autorepeater Burp (Burp Addon) 

Open-source    

Automated HTTP request repeating

Autorize (Burp Addon) 

Open-source    

Detect authorization vulnerabilities

Browser Exploitation Framework (BeEF) 

Open-source      

Command and control server for delivering exploits

Burp Suite 

Commercial      

An integrated platform for web-application pentesting (Free edition available)

BurpSentinel (Burp Addon) 

Open-source    

Web application security hole discovery

Co2 (Burp Addon) 

Open-source    

SQL mapper, scanner, SAML encoder, JWT decoder, hasher

Commix 

Open-source    

Command-line injection & exploitation tool

DirBuster 

Open-source    

Brute-force over directories and web application server tool with hidden directory search

fimap 

Open-source    

Python tool to find, prepare, audit, & exploit LFI/RFI bugs.

Flow (Burp Addon) 

Open-source    

Logging and history for tools, for troubleshooting

Headless Burp (Burp Addon) 

Open-source    

Run Burp Suite's Spider and Scanner tools via command-line

Kadimus 

Open-source    

LFI scan and exploit tool.

Lazys3 

Open-source    

Ruby script to brute-force for AWS s3 buckets

LFI Suite 

Open-source    

LFI exploiter and scanner

liffy 

Open-source    

LFI exploitation tool

Logger++ (Burp Addon) 

Open-source    

A multi-threaded logging extension with filtering

Nikto 

Open-source        

Web server vuln scanner that performs comprehensive tests to identify dangerous files, outdated server software, and misconfigurations

NoSQLMap 

Open-source    

Audit for and automate injection attacks, exploit configuration weaknesses, and clone data

OWASP Zed Attack Proxy (ZAP) 

Open-source    

Scriptable HTTP intercepting proxy and fuzzer for web applications

ParamMiner (Burp Addon) 

Open-source    

Discover hidden web application parameters

Payloads All The Things 

Open-source    

Payloads and bypasses for Web Application Security.

Retire.js (Burp Addon) 

Open-source    

Scan for outdated Javascript libraries

Security Headers 

Free    

Free tool for analyzing HTTP response headers to assess web application security posture and recommend improvements

SQLMap 

Open-source    

SQL injection detection, exploitation, and takeover tool

SQLNinja 

Open-source    

An SQL server injection and takeover tool

sslstrip2 

Open-source    

SSL stripping tool

SSRFTest 

Open-source    

Server Site Request Forgery tool

Subjack 

Open-source    

Subdomain identification and takeover tool written in Go

tplmap 

Open-source    

Server-side template injection, detection, and takeover tool

TurboIntruder (Burp Addon) 

Open-source    

Fast and scalable HTTP requests via python scripts

weevely3 

Open-source      

Weaponized web shell for post exploitation

WPSploit 

Open-source    

Exploit WordPress websites with Metasploit

WSDL Wizard (Burp Addon) 

Open-source    

Scan target servers for WSDL files

YsoSerial 

Open-source    

Payload generation tool to exploit unsafe Java serialization