For un scanner de sécurité automatisé pour applications web, the strongest matches are arachni/arachni (Arachni is a full-featured web application vulnerability scanner that), projectdiscovery/nuclei (Nuclei is a modular, template-driven vulnerability scanning framework that) and chaitin/xray (Xray is a dedicated web vulnerability scanner that performs). owasp/nettacker and zaproxy/zaproxy round out the shortlist. Each is ranked by relevance to your query, popularity and recent activity.
Outils open source identifiant automatiquement les failles de sécurité et vulnérabilités courantes dans le code des applications web.
Arachni is a dynamic application security testing vulnerability scanner and web application security tool. It functions as a distributed web audit framework that performs active and passive audits to identify security flaws such as SQL injection and cross-site scripting. The project features a JavaScript-aware web crawler that executes scripts and monitors DOM changes to analyze modern dynamic web applications. It utilizes server platform fingerprinting to target compatible security payloads and provides a grid-based system to distribute scanning workloads across multiple nodes. The tool cov
Arachni is a full-featured web application vulnerability scanner that performs automated crawling and active/passive audits for OWASP Top 10 flaws like SQL injection and XSS, and supports report generation, plugin-based extensibility, distributed scanning, and session handling — fitting all the key requirements for a security testing tool.
Nuclei is a modular security scanning framework designed for automated vulnerability detection and infrastructure reconnaissance. It functions as a template-driven engine that executes security checks across diverse network protocols, allowing users to define custom detection logic to identify vulnerabilities, misconfigurations, and exposed assets. The platform distinguishes itself through its highly extensible architecture, which supports distributed scanning, headless browser automation for dynamic web content, and out-of-band interaction monitoring to detect blind vulnerabilities. It integ
Nuclei is a modular, template-driven vulnerability scanning framework that excels at automated web application security testing, covering OWASP Top 10 detection, CI/CD integration, and extensible custom templates—making it a flagship tool for the category despite lacking a traditional proxy/intercept mode.
Xray is a security assessment tool focused on web vulnerability scanning, attack surface mapping, and technology fingerprinting. It identifies common security flaws through automated scanning and semantic analysis, while verifying findings via a custom proof-of-concept execution engine. The system distinguishes itself with a containerized vulnerability testbed used to deploy pre-configured vulnerable applications. This environment allows for the simulation of specific vulnerabilities and edge-case scenarios to validate scanner accuracy and eliminate false positives. The platform covers a bro
Xray is a dedicated web vulnerability scanner that performs automated crawling, attack surface mapping, and PoC-based verification, covering the core scanning needs and including proxy interception and plugin extensibility, making it a strong fit for this search.
Nettacker is an automated penetration testing framework designed to orchestrate reconnaissance, port scanning, and vulnerability detection. It functions as a network reconnaissance tool and vulnerability scanner that identifies open ports, fingerprints services, and checks systems against databases of known security flaws. The framework distinguishes itself by combining a web application crawler for discovering hidden paths via fuzzing with a vulnerability management system that persists scan results in a database to track historical assessments. It also includes specialized capabilities for
Nettacker is an OWASP-led automated penetration testing framework that includes a web application crawler, OWASP-relevant vulnerability detection, and features like CI/CD integration, proxy routing, and report generation—directly matching this search for a web app vulnerability scanner.
OWASP ZAP is a dynamic application security testing tool and intercepting HTTP proxy used to find vulnerabilities in web applications. It functions as a penetration testing framework that enables both automated security scanning and manual security testing of running web services. The tool provides a suite of capabilities for analyzing web applications from the outside in, including the ability to capture and modify traffic between a browser and a target application. It is designed to integrate into DevSecOps pipelines to provide consistent security checks across different environments.
OWASP ZAP is a full-featured open-source web vulnerability scanner and intercepting proxy that directly meets your needs with automated crawling, OWASP Top 10 detection, report generation, CI/CD integration, plugin extensibility, and authentication handling—exactly the kind of tool you're looking for.
This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuris
sqlmap is a focused tool for automatically detecting and exploiting SQL injection vulnerabilities in web applications, matching your need for an open-source vulnerability scanner, though its scope is limited to database-layer flaws rather than the full range of web vulnerabilities.
Nikto is an open-source HTTP security auditing tool and web server vulnerability scanner. It functions as a reconnaissance engine designed to identify insecure server options, outdated software, and common vulnerabilities by analyzing HTTP responses. The project differentiates itself through capabilities for intrusion detection evasion and web server fingerprinting. It uses request-level encoding and timing spacers to bypass security filters and employs signature-based identification to determine specific server software versions and misconfigurations. The scanner covers broad capability are
Nikto is a well-established open-source web server vulnerability scanner that performs automated crawling and identifies common security issues through HTTP response analysis, directly fitting the search for a web application vulnerability scanner.
WPScan is a security analysis utility and vulnerability scanner designed specifically for auditing WordPress installations and other content management systems. It functions as a web application security tool that identifies misconfigurations, outdated software, and security holes in core installations, plugins, and themes. The tool employs black-box scanning techniques to perform site component enumeration, identifying users, themes, and plugins by matching known file paths and response signatures. It matches these detected components against a database of known security flaws to analyze the
WPScan is a purpose-built vulnerability scanner for WordPress and other CMS platforms, making it the right kind of tool for automated web application security testing, though its focus on one CMS narrows its general applicability.
Ghauri is an automated SQL injection scanner and exploitation tool designed to detect and extract data from vulnerable databases. It functions as a database exfiltration framework that identifies security flaws and retrieves system banners, hostnames, and database schemas. The tool identifies boolean, error, time-based, and stacked query vulnerabilities across multiple input vectors, including HTTP headers, cookies, JSON, SOAP, and XML. It provides capabilities for automated database exfiltration and the processing of bulk target lists to identify flaws across multiple environments. The syst
r0oth3x49/ghauri is a specialized tool for detecting and exploiting SQL injection flaws, which is a core vulnerability scanning function, but it focuses solely on injection attacks rather than covering the full OWASP Top 10 or providing automated crawling, report generation, or CI/CD integration—so it fits the category in a narrower scope.
This project is an automated security scanner designed to identify vulnerabilities within web caching layers. It functions as an HTTP protocol security tool that probes web infrastructure by manipulating request headers, parameters, and cookies to observe how servers handle and store content. The scanner distinguishes itself through specialized cache behavior analysis, which targets specific flaws such as cache poisoning and cache deception. It incorporates a recursive crawler to map web application endpoints and utilizes configurable proxy routing to facilitate traffic inspection and debuggi
This is a focused web cache vulnerability scanner, so it fits the web application vulnerability scanner category but only covers a single vulnerability type rather than the broader OWASP Top 10 detection you likely need.
| Dépôt | Stars | Langage | Licence | Dernier push |
|---|---|---|---|---|
| arachni/arachni | 4K | Ruby | other | |
| projectdiscovery/nuclei | 29.2K | Go | MIT | |
| chaitin/xray | 11.6K | Vue | NOASSERTION | |
| owasp/nettacker | 5.3K | Python | Apache-2.0 | |
| zaproxy/zaproxy | 15.3K | Java | Apache-2.0 | |
| sqlmapproject/sqlmap | 37.7K | Python | NOASSERTION | |
| sullo/nikto | 10.1K | Perl | other | |
| wpscanteam/wpscan | 9.6K | Ruby | NOASSERTION | |
| r0oth3x49/ghauri | 4K | Python | MIT | |
| hackmanit/web-cache-vulnerability-scanner | 1.2K | Go | Apache-2.0 |