Packages that primarily target web application testing.

Tool count: 305

BlackArch webapp
Name Version Description Homepage
0d1n 263.2d723ae Web security tool to make fuzzing at HTTP inputs, made in C with libCurl.
abuse-ssl-bypass-waf 7.c28f98e Bypassing WAF by abusing SSL/TLS Ciphers.
adfind 31.9808cb7 Simple admin panel finder for php,js,cgi,asp and aspx admin panels.
adminpagefinder 0.1 This python script looks for a large amount of possible administrative interfaces on a given site.
albatar 34.4e63f22 A SQLi exploitation framework in Python.
anti-xss 166.2725dc9 A XSS vulnerability scanner.
arachni A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
arjun 214.70b5b28 HTTP parameter discovery suite.
astra 487.57c1e41 Automated Security Testing For REST API's.
atlas 7.77bd6c8 Open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS.
badministration 16.69e4ec2 A tool which interfaces with management or administration applications from an offensive standpoint.
bbqsql 261.b9859d2 SQL injection exploit tool.
bbscan 48.43c1088 A tiny Batch web vulnerability Scanner.
bing-lfi-rfi 0.1 Python script for searching Bing for sites that may have local and remote file inclusion vulnerabilities.
blisqy 20.e9995fc Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).
brutemap 65.da4b303 Penetration testing tool that automates testing accounts to the site's login page.
brutexss 54.ba753df Cross-Site Scripting Bruteforcer.
bsqlbf 2.7 Blind SQL Injection Brute Forcer.
bsqlinjector 13.027184f Blind SQL injection exploitation tool written in ruby.
burpsuite 2023.10.2 An integrated platform for attacking web applications (community edition) + SHELLING plugin.
c5scan 30.be8845c Vulnerability scanner and information gatherer for the Concrete5 CMS.
cansina 59.67c6301 A python-based Web Content Discovery Tool.
chankro 21.7b6e844 Tool that generates a PHP capable of run a custom binary (like a meterpreter) or a bash script (p.e. reverse shell) bypassing disable_functions & open_basedir).
cjexploiter 6.72b08d8 Drag and Drop ClickJacking exploit development assistance tool.
clairvoyance 2.5.2 Obtain GraphQL API Schema even if the introspection is not enabled.
cloudget 64.cba10b1 Python script to bypass cloudflare from command line. Built upon cfscrape module.
cms-few 0.1 Joomla, Mambo, PHP-Nuke, and XOOPS CMS SQL injection vulnerability scanning tool written in Python.
cmseek 382.20f9780 CMS (Content Management Systems) Detection and Exploitation suite.
cmsfuzz 5.6be5a98 Fuzzer for wordpress, cold fusion, drupal, joomla, and phpnuke.
cmsscan 43.f060b4b CMS scanner to identify and find vulnerabilities for Wordpress, Drupal, Joomla, vBulletin.
cmsscanner CMS Scanner Framework.
comission 203.67b890e WhiteBox CMS analysis.
commentor 20.4582674 Extract all comments from the specified URL resource.
commix 2018.37022bcc Automated All-in-One OS Command Injection and Exploitation Tool.
corscanner 99.593043f Fast CORS misconfiguration vulnerabilities scanner.
corsy 69.2985ae2 CORS Misconfiguration Scanner.
crabstick 47.bb7827f Automatic remote/local file inclusion vulnerability analysis and exploit tool.
crackql 1.0.r53.gac26a44 GraphQL password brute-force and fuzzing utility
crawlic 51.739fe2b Web recon tool (find temporary files, parse robots.txt, search folders, google dorks and search domains hosted on same server).
crlfuzz 62.7a442bb A fast tool to scan CRLF vulnerability written in Go.
csrftester 1.0 The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.
cybercrowl 111.f7cac52 A Python Web path scanner tool.
dalfox 1310.220fc64 Parameter Analysis and XSS Scanning tool.
darkdump 44.05b1522 Search The Deep Web Straight From Your Terminal.
darkjumper 5.8 This tool will try to find every website that host at the same server at your target.
darkscrape 68.2ca0e37 OSINT Tool For Scraping Dark Websites.
davscan 30.701f967 Fingerprints servers, finds exploits, scans WebDAV.
dawnscanner v2.2.0.r3.g8009cac A static analysis security scanner for ruby written web applications.
dff-scanner 1.1 Tool for finding path of predictable resource locations.
dirble 1.4.2 Fast directory scanning and scraping tool.
dirbuster-ng 9.0c34920 C CLI implementation of the Java dirbuster tool.
dirhunt 310.3306018 Find web directories without bruteforce.
dirscraper 16.e752450 OSINT Scanning tool which discovers and maps directories found in javascript files hosted on a website.
dirsearch 2303.759d089 HTTP(S) directory/file brute forcer.
docem 20.b0ddd87 Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids).
domi-owned 41.583d0a5 A tool used for compromising IBM/Lotus Domino servers.
dontgo403 0.9.3.r2.g52261f9 Tool to bypass 40X response codes..
doork 6.90c7260 Passive Vulnerability Auditor.
dorknet 58.419d6a2 Selenium powered Python script to automate searching for vulnerable web apps.
droopescan 1.45.1 A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
drupal-module-enum 11.525543c Enumerate on drupal modules.
drupalscan 0.5.2 Simple non-intrusive Drupal scanner.
drupwn 59.8186732 Drupal enumeration & exploitation tool.
dsfs 36.8e9f8e9 A fully functional File inclusion vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.
dsjs 32.26287d0 A fully functional JavaScript library vulnerability scanner written in under 100 lines of code.
dsss 123.84ddd33 A fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.
dsstore-crawler 7.efa51f5 A parser + crawler for .DS_Store files exposed publically.
dsxs 130.3e628b6 A fully functional Cross-site scripting vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.
eos 14.0127319 Enemies Of Symfony - Debug mode Symfony looter.
epicwebhoneypot 2.0a Tool which aims to lure attackers using various types of web vulnerability scanners by tricking them into believing that they have found a vulnerability on a host.
evine 42.46051de Interactive CLI Web Crawler.
extended-ssrf-search 28.680f815 Smart ssrf scanner using different methods like parameter brute forcing in post and get.
eyewitness 1036.3b10ae7 Designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
fbht 70.d75ae93 A Facebook Hacking Tool
fdsploit 26.4522f53 A File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
feroxbuster 2.7.1.r11.g53e3420 A fast, simple, recursive content discovery tool written in Rust.
ffuf v2.1.0.r2.g0e024f4 Fast web fuzzer written in Go.
fhttp 1.3 This is a framework for HTTP related attacks. It is written in Perl with a GTK interface, has a proxy for debugging and manipulation, proxy chaining, evasion rules, and more.
filebuster 95.f2b04c7 An extremely fast and flexible web fuzzer.
filegps 90.03cbc75 A tool that help you to guess how your shell was renamed after the server-side script of the file uploader saved it.
fingerprinter 480.105ab04 CMS/LMS/Library etc Versions Fingerprinter.
flask-session-cookie-manager2 v1.2.1.1.r11.g821b80c Decode and encode Flask session cookie.
flask-session-cookie-manager3 v1.2.1.1.r11.g821b80c Decode and encode Flask session cookie.
fockcache 10.3e7efa9 Tool to make cache poisoning by trying X-Forwarded-Host and X-Forwarded-Scheme headers on web pages.
fuxploider 140.ec8742b Tool that automates the process of detecting and exploiting file upload forms flaws.
gau 137.85deaa7 Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
ghauri 1.2.4.r0.g81e325f An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws.
ghost-py 2.0.0 Webkit based webclient (relies on PyQT).
gitdump 1.682fa37 A pentesting tool that dumps the source code from .git even when the directory traversal is disabled.
gittools 70.7cac63a A repository with 3 tools for pwn'ing websites with .git repositories available'.
gobuster 365.886c327 Directory/file & DNS busting tool written in Go.
golismero 73.7d605b9 Opensource web security testing framework.
gopherus 33.90a2fd5 Tool generates gopher link for exploiting SSRF and gaining RCE in various servers.
gospider 106.721e78c Fast web spider written in Go.
gowitness 286.0186397 A golang, web screenshot utility using Chrome Headless.
grabber 0.1 A web application scanner. Basically it detects some kind of vulnerabilities in your website.
graphql-path-enum 16.1a44883 Tool that lists the different ways of reaching a given type in a GraphQL schema.
graphqlmap 63.59305d7 Scripting engine to interact with a graphql endpoint for pentesting purposes.
graphw00f 1.1.10.r15.g54bc2ac GraphQL endpoint detection and engine fingerprinting.
h2csmuggler 7.7ea573a HTTP Request Smuggling over HTTP/2 Cleartext (h2c).
h2t 36.9183a30 Scans a website and suggests security headers to apply.
hakrawler 234.14e240b Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
hetty 134.f60202e HTTP toolkit for security research. Aims to become an open source alternative to commercial software like Burp Suite Pro.
hookshot 199.3258c3e Integrated web scraper and email account data breach comparison tool.
htcap 155.a59c592 A web application analysis tool for detecting communications between javascript and the server.
http2smugl 36.78abc09 Http2Smugl - Tool to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion.
httpforge 11.02.01 A set of shell tools that let you manipulate, send, receive, and analyze HTTP messages. These tools can be used to test, discover, and assert the security of Web servers, apps, and sites. An accompanying Python library is available for extensions.
httpgrep 2.3 A python tool which scans for HTTP servers and finds given strings in HTTP body and HTTP response headers.
httppwnly 47.528a664 "Repeater" style XSS post-exploitation tool for mass browser control.
httpx 1539.c4e101b A fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library.
identywaf 206.aa670df Blind WAF identification tool.
injectus 12.3c01fa0 CRLF and open redirect fuzzer.
interactsh-client v1.1.7.r0.g29844b1 Open-Source Solution for Out of band Data Extraction.
ipsourcebypass 1.2.r12.g91b16ad This Python script can be used to bypass IP source restrictions using HTTP headers.
jaeles 233.243e0b6 The Swiss Army knife for automated Web Application Testing.
jaidam 18.15e0fec Penetration testing tool that would take as input a list of domain names, scan them, determine if wordpress or joomla platform was used and finally check them automatically, for web vulnerabilities using two well-known open source tools, WPScan and Joomscan.
jast 17.361ecde Just Another Screenshot Tool.
jdeserialize 31.20635ba A library that interprets Java serialized objects. It also comes with a command-line tool that can generate compilable class declarations, extract block data, and print textual representations of instance values.
jexboss 86.338b531 Jboss verify and Exploitation Tool.
jira-scan 7.447d0ec A simple remote scanner for Atlassian Jira
jok3r 447.0761996 Network and Web Pentest Framework.
jomplug 0.1 This php script fingerprints a given Joomla system and then uses Packet Storm's archive to check for bugs related to the installed components.
jooforce 11.43c21ad A Joomla password brute force tester.
joomlascan 1.2 Joomla scanner scans for known vulnerable remote file inclusion paths and files.
joomlavs 254.eea7500 A black box, Ruby powered, Joomla vulnerability scanner.
joomscan 82.7931539 Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site.
jshell 7.ee3c92d Get a JavaScript shell with XSS.
jsonbee 26.e106db2 A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP).
jsparser 31.ccd3ab6 Parse javascript using Tornado and JSBeautifier to discover interesting enpoints.
jsql-injection 0.92 A Java application for automatic SQL database injection.
jstillery 65.512e9af Advanced JavaScript Deobfuscation via Partial Evaluation.
juumla 102.074280d Python tool created to identify Joomla version, scan for vulnerabilities and search for config files.
jwt-hack v1.1.2.r9.g252aef4 A tool for hacking / security testing to JWT.
kadimus 183.ac5f438 LFI Scan & Exploit Tool.
katana-pd v1.0.4.r0.g3558f38 Crawling and spidering framework.
kiterunner 19.7d5824c Contextual Content Discovery Tool.
kolkata 3.0 A web application fingerprinting engine written in Perl that combines cryptography with IDS evasion.
konan 23.7b5ac80 Advanced Web Application Dir Scanner.
kubolt 28.0027239 Utility for scanning public kubernetes clusters.
lfi-exploiter 1.1 This perl script leverages /proc/self/environ to attempt getting code execution out of a local file inclusion vulnerability..
lfi-fuzzploit 1.1 A simple tool to help in the fuzzing for, finding, and exploiting of local file inclusion vulnerabilities in Linux-based PHP applications.
lfi-image-helper 0.8 A simple script to infect images with PHP Backdoors for local file inclusion attacks.
lfi-sploiter 1.0 This tool helps you exploit LFI (Local File Inclusion) vulnerabilities. Post discovery, simply pass the affected URL and vulnerable parameter to this tool. You can also use this tool to scan a URL for LFI vulnerabilities.
lfifreak 21.0c6adef A unique automated LFi Exploiter with Bind/Reverse Shells.
lfimap 158.92c4a50 Local file inclusion discovery and exploitation tool.
liffy 33.89dd4f8 A Local File Inclusion Exploitation tool.
lightbulb 88.9e8d6f3 Python framework for auditing web applications firewalls.
linkfinder 162.095bb62 Discovers endpoint and their parameters in JavaScript files.
list-urls 0.1 Extracts links from webpage.
log4j-bypass 33.f5c92f9 Log4j web app tester that includes WAF bypasses.
log4j-scan 88.07f7e32 A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-44228.
lorsrf bbb.r0.g91c26ec Find the parameters that can be used to find SSRF or Out-of-band resource load.
lulzbuster 1.3.2 A very fast and smart web directory and file enumeration tool written in C.
magescan 1.12.9 Scan a Magento site for information. 9.8b34f1a Web Command Injection Tool.
meg 87.9daab00 Fetch many paths for many hosts - without killing the hosts.
metoscan 05 Tool for scanning the HTTP methods supported by a webserver. It works by testing a URL and checking the responses for the different requests.
monsoon 261.f4f9852 A fast HTTP enumerator that allows you to execute a large number of HTTP requests.
mooscan 10.82963b0 A scanner for Moodle LMS.
morxtraversal 1.0 Path Traversal checking tool.
multiinjector 0.4 Automatic SQL injection utility using a lsit of URI addresses to test parameter manipulation.
nosqli 37.6fce3eb NoSQL scanner and injector.
nosqlmap 296.9502b8c Automated Mongo database and NoSQL web application exploitation tool
novahot 23.69857bb A webshell framework for penetration testers.
nuclei v2.9.15.r1.g54b5e0ee A fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
okadminfinder 83.aca7645 Tool to find admin panels / admin login pages.
onionsearch 43.ab4095c Script that scrapes urls on different ".onion" search engines.
opendoor 422.d1ed311 OWASP WEB Directory Scanner.
owasp-bywaf 26.e730d1b A web application penetration testing framework (WAPTF).
owtf 2187.af993ecb The Offensive (Web) Testing Framework.
pappy-proxy 77.e1bb049 An intercepting proxy for web application testing.
parameth 56.8da6f27 This tool can be used to brute discover GET and POST parameters.
parampampam 45.9171018 This tool for brute discover GET and POST parameters.
paros 3.2.13 Java-based HTTP/HTTPS proxy for assessing web app vulnerabilities. Supports editing/viewing HTTP messages on-the-fly, spiders, client certificates, proxy-chaining, intelligent scanning for XSS and SQLi, etc.
payloadmask 17.58e0525 Web Payload list editor to use techniques to try bypass web application firewall.
peepingtom 56.bc6f4d8 A tool to take screenshots of websites. Much like eyewitness.
photon 326.d4af460 Incredibly fast crawler which extracts urls, emails, files, website accounts and much more.
php-findsock-shell 2.b8a984f A Findsock Shell implementation in PHP + C.
php-malware-finder 0.3.4.r82.g87b6d7f Detect potentially malicious PHP files.
phpggc 551.3b19fc1 A library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
phpsploit 1015.c132bd9 Stealth post-exploitation framework.
pixload 87.a8f58a7 Image Payload Creating/Injecting tools.
plecost 104.4895e34 Wordpress finger printer Tool.
plown 13.ccf998c A security scanner for Plone CMS.
poly 52.4e6f189 Polymorphic webshells.
pown 332.0e32edf Security testing and exploitation toolkit built on top of Node.js and NPM.
ppfuzz 31.80982ec A fast tool to scan client-side prototype pollution vulnerability written in Rust.
ppmap v1.2.0.r15.g9426af6 A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.
proxenet 712.67fc6b5 THE REAL hacker friendly proxy for web application pentests.
pwndrop 18.385ba70 Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
pyfiscan 2973.c654ce7 Free web-application vulnerability and version scanner.
python-witnessme 1.5.0 Web Inventory tool, takes screenshots of webpages using Pyppeteer.
python2-jsbeautifier 1.13.4 JavaScript unobfuscator and beautifier.
rabid v0.1.0.r79.ge628b55 A CLI tool and library allowing to simply decode all kind of BigIP cookies
rapidscan 221.296a20b The Multi-Tool Web Vulnerability Scanner.
remot3d 38.a707ef7 An Simple Exploit for PHP Language.
restler-fuzzer latest.main.r1.g1adad40 First stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
riwifshell 38.40075d5 Web backdoor - infector - explorer.
ruler 301.1e5ee2d A tool to abuse Exchange services.
rustbuster 302.4a243d4 DirBuster for Rust.
rww-attack 0.9.2 Performs a dictionary attack against a live Microsoft Windows Small Business Server.
sawef 32.e5ce862 Send Attack Web Forms.
scanqli 26.40a028d SQLi scanner to detect SQL vulns.
scrapy 2.8.0 A fast high-level scraping and web crawling framework.
scrying 234.caa233c Collect RDP, web, and VNC screenshots smartly.
second-order v3.2.r0.g242569b Second-order subdomain takeover scanner.
secretfinder 14.a0283cb A python script to find sensitive data (apikeys, accesstoken, jwt,..) in javascript files.
secscan 1.5 Web Apps Scanner and Much more utilities.
see-surf v2.0.r40.gbe79a31 A Python based scanner to find potential SSRF parameters in a web application.
serializationdumper 31.69ea9ba A tool to dump Java serialization streams in a more human readable form.
shortfuzzy 0.1 A web fuzzing script written in perl.
shuffledns 301.db34c66 A wrapper around massdns written in GO.
sitadel 121.0a0e475 Web Application Security Scanner.
sitediff 3.1383935 Fingerprint a web app using local files as the fingerprint sources.
skipfish 2.10b A fully automated, active web application security reconnaissance tool.
smplshllctrlr 9.2baf390 PHP Command Injection exploitation tool.
smuggler 23.2be871e An HTTP Request Smuggling / Desync testing tool written in Python 3.
smuggler-py 1.0 Python tool used to test for HTTP Desync/Request Smuggling attacks.
snallygaster 225.4c5a9b5 Tool to scan for secret files on HTTP servers.
snuck 6.76196b6 Automatic XSS filter bypass.
spaf 11.671a976 Static Php Analysis and Fuzzer.
sparty 0.1 An open source tool written in python to audit web applications using sharepoint and frontpage architecture.
spiga 636.fe15783 Configurable web resource scanner.
spike-proxy 148 A Proxy for detecting vulnerabilities in web applications
spipscan 69.4ad3235 SPIP (CMS) scanner for penetration testing purpose written in Python.
sprayingtoolkit 60.82e2ec8 Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient.
sqid 0.3 A SQL injection digger.
sqlmap 1.7.9 Automatic SQL injection and database takeover tool
ssrf-sheriff 2.f95d691 A simple SSRF-testing sheriff written in Go.
ssrfmap 104.f688ec9 Automatic SSRF fuzzer and exploitation tool.
stews 1.0.0.r7.gc7bba5a A Security Tool for Enumerating WebSockets.
striker 85.87c184d An offensive information and vulnerability scanner.
subjs 45.76ce9ec Fetches javascript file from a list of URLS or subdomains.
themole 0.3 Automatic SQL injection exploitation tool.
tidos-framework v2.0.beta2.r22.g4098187 Offensive Web Application Penetration Testing Framework.
torcrawl 81.3241834 Crawl and extract (regular or onion) webpages through TOR network.
tplmap 719.616b0e5 Automatic Server-Side Template Injection Detection and Exploitation Tool.
typo3scan v1.1.3.r6.g5ba5486 Enumerate Typo3 version and extensions.
uncaptcha2 7.473f33d Defeating the latest version of ReCaptcha with 91% accuracy.
uppwn 9.f69dec4 A script that automates detection of security flaws on websites' file upload systems'.
urlcrazy 0.5 Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
urldigger 02c A python tool to extract URL addresses from different HOT sources and/or detect SPAM and malicious code
urlextractor 19.739864d Information gathering & website reconnaissance.
vane 1899.48f9ab5 A vulnerability scanner which checks the security of WordPress installations using a black box approach.
vanguard 0.1 A comprehensive web penetration testing tool written in Perl thatidentifies vulnerabilities in web applications.
vbscan 39.2b1ce48 A black box vBulletin vulnerability scanner written in perl.
vega 1.0 An open source platform to test the security of web applications.
vsvbp 6.241a7ab Black box tool for Vulnerability detection in web applications.
vulnerabilities-spider 1.426e70f A tool to scan for web vulnerabilities.
vulnx 321.bcf451d Cms and vulnerabilites detector & An intelligent bot auto shell injector.
w13scan 430.432b835 Passive Security Scanner.
wafninja 25.379cd98 A tool which contains two functions to attack Web Application Firewalls.
wafp 0.01_26c3 An easy to use Web Application Finger Printing tool written in ruby using sqlite3 databases for storing the fingerprints.
wafpass 48.c3ea1b9 Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
wapiti 3.1.8.r16.g6be9bb33 A vulnerability scanner for web applications.
wascan 37.6926338 Web Application Scanner.
waybackpack 91.58b3d0f Download the entire Wayback Machine archive for a given URL.
wcvs 1.1.0.r9.gd6e4b4f Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning.
web-soul 2 A plugin based scanner for attacking and data mining web sites written in Perl.
webanalyze 115.caadb5d Port of Wappalyzer (uncovers technologies used on websites) in go to automate scanning.
webborer 173.b323cf4 A directory-enumeration tool written in Go.
webhandler 348.1bd971e A handler for PHP system functions & also an alternative 'netcat' handler.
webkiller 42.d680598 Tool Information Gathering Write By Python.
webshells 46.e8e1a37 Web Backdoors.
webslayer 5 A tool designed for brute forcing Web Applications.
webtech 1.3.3 Identify technologies used on websites.
webxploiter 56.c03fe6b An OWASP Top 10 Security scanner.
weevely 894.445bd88 Weaponized web shell.
weirdaal 331.c14e36d AWS Attack Library.
whatwaf 392.b14e866 Detect and bypass web application firewalls and protection systems.
whichcdn 22.5fc6ddd Tool to detect if a given website is protected by a Content Delivery Network.
wig 574.d5ddd91 WebApp Information Gatherer.
witchxtool 1.1 A perl script that consists of a port scanner, LFI scanner, MD5 bruteforcer, dork SQL injection scanner, fresh proxy scanner, and a dork LFI scanner.
wordpress-exploit-framework 907.e55ded4 A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
wpforce 88.b72ec64 Wordpress Attack Suite.
wpintel 6.741c0c9 Chrome extension designed for WordPress Vulnerability Scanning and information gathering.
wpscan 3.8.24 Black box WordPress vulnerability scanner
wpseku 39.862fb2c Simple Wordpress Security Scanner.
ws-attacker 1.7 A modular framework for web services penetration testing.
wssip 75.56d0d2c Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
wuzz 229.66176b6 Interactive cli tool for HTTP inspection.
x8 v4.1.0.r2.g6ee4532 Hidden parameters discovery suite.
xmlrpc-bruteforcer 35.6023237 An XMLRPC brute forcer targeting Wordpress written in Python 3.
xspear 144.57bb7b4 Powerful XSS Scanning and Parameter analysis tool&gem.
xsrfprobe 523.ce04111 The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.
xss-freak 17.e361766 An XSS scanner fully written in Python3 from scratch.
xsscon 45.ce91fd6 Simple XSS Scanner tool.
xsscrapy 153.4966255 XSS spider - 66/66 wavsep XSS detected.
xsser 1.8 A penetration testing tool for detecting and exploiting XSS vulnerabilites.
xssless 45.8e7ebe1 An automated XSS payload generator written in python.
xsspy 60.b10d336 Web Application XSS Scanner.
xsss 0.40b A brute force cross site scripting scanner.
xssscan 17.7f1ea90 Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS.
xsssniper 79.02b59af An automatic XSS discovery tool
xsstrike 467.f292787 An advanced XSS detection and exploitation suite.
xssya 13.cd62817 A Cross Site Scripting Scanner & Vulnerability Confirmation.
xwaf 162.c6f6bb7 Automatic WAF bypass tool.
xxxpwn 10.27a2d27 A tool Designed for blind optimized XPath 1 injection attacks.
xxxpwn-smart 6.b11b95b A fork of xxxpwn adding further optimizations and tweaks.
yaaf 7.4d6273a Yet Another Admin Finder.
yasuo 121.994dcb1 A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.
yawast 0.11.0 The YAWAST Antecedent Web Application Security Toolkit.
ycrawler 0.1 A web crawler that is useful for grabbing all user supplied input related to a given website and will save the output. It has proxy and log file support.
ysoserial 0.0.6 A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
zaproxy 2.12.0 Integrated penetration testing tool for finding vulnerabilities in web applications