Free Web Application Security Testing Tools

Websites and the backends that they run on these days are so complex that it is impossible to deem one safe without testing their security first. Even one page thin websites with a simple contact form may be hiding exploits or unplugged vulnerabilities. Thankfully, there are numerous free web application security testing tools that will let you at least check for some of the more commonplace vulnerabilities, without spending a single cent. Here are some of the best:

WebSecurify (

Websecurify uses advanced discovery and fuzzing technology in order to automatically identify vulnerabilities in any web application. The tool is simple, straightforward, and can create basic reports that are exportable to various formats. WebSecurify is open source so you can expect updates to happen frequently.

Prestige Technologies Websites have the benefit of a a 24/7 warm body technical assistance and the latest security features. You can try our services for FREE FOR SIX MONTHS and still enjoy the benefits of a paid host. Click here.

N-Stalker (

N-Stalker is a paid software, but they also provide a free edition that provides enough features for people who just want to check for basic security flaws. The N-Stalker free version can check up to 100 web pages at once, including web server and cross-scripting checks.

Netsparker Community Edition (

The powerful Netsparker application is paid, but it also provides a free community edition that has enough features to suit most people’s needs. The application can catch SQL Injection + Cross site scripting vulnerabilities. Additionally, it also suggests solutions once the scan is complete.

Wapiti (

Wapiti is a Python-built web based tool that scans the web pages of any deployed web application and looks for scripts and forms where it can inject data. It can catch file handling errors, database, xss, ldap, and crlf injections, as well as command execution exploits. It is also open source, so you can expect timely updates when necessary.

Scrawlr (

A joint project between HP Web Security Research Group and Microsoft Security Response Center, Scrawlr scans web applications for SQL Injection vulnerabilities. The fact that it’s backed by two big IT names ensures that it’s no pushover in terms of capability.

Exploit-Me (

Exploit-Me is not a standalone application but a suite of security testing tools that come in the form of a FireFox Add-On. The Exploit-Me suite are all lightweight and work in the background, and consist of 3 tools: one that tests XSS vulnerabilities, one that tests SQL injection vulnerabilities, and one that tests access vulnerabilities.

Skipfish (

Skipfish is a web application security recon tool that runs on full auto. It is lightweight and fast enough to do 2000 requests per second. Additionally, the tool has automatic learning capabilities, on the fly wordlist creation, and form autocompletion. It also comes with a low false positive, differential security check that is capable of spotting a range of subtle flaws, such as blind injection vectors.

WebScarab (

The WebScarab is a proxy service that analyzes and manipulates http traffic. It’s main purpose for security is that it comes with several useful features, such as the “parameter fuzzer,” which tests XSS and SQL Injection vulnerabilities and the “CRLF injection,” which tests for HTTP response splitting.

There are many more free web application security testing tools out there, but one thing you need to remember is that the web security industry works on the same principles as any other industry out there: you will get what you are willing to pay for. So while these free tools might be fine at first, if you’re really serious about web security and running a business online, you should save up to invest on some of the tools’ paid versions in order to get better features and tighter security. It also doesn’t hurt to do your homework and keep yourself updated on potential security risks.


Leave a Reply

You must be logged in to post a comment.