cyber-security-resources/web-application-testing/tools.md

Web Application Testing Tools

This is a curated list of tools for this category.

---

• 0D1N v2.6 - Web Security Tool To Make Fuzzing At HTTP/S
• 0D1N v3.4 - Tool For Automating Customized Attacks Against Web Applications (Full Made In C Language With Pthreads, Have A Fast Performance)
• 0L4Bs - Cross-site Scripting Labs For Web Application Security Enthusiasts
• 403Bypasser - Burpsuite Extension To Bypass 403 Restricted Directory
• ABPTTS - TCP Tunneling Over HTTP/HTTPS For Web Application Servers
• Acunetix Web Application Vulnerability Report 2019
• Acunetix v13 - Web Application Security Scanner
• Admin-Panel_Finder - A Burp Suite Extension That Enumerates Infrastructure And Application Admin Interfaces (OTG-CONFIG-005)
• Aduket - Straight-forward HTTP Client Testing, Assertions Included
• Andor - Blind SQL Injection Tool With Golang
• Arjun v1.3 - HTTP Parameter Discovery Suite
• Arjun v1.6 - HTTP Parameter Discovery Suite
• Artemis - A Modular Web Reconnaissance Tool And Vulnerability Scanner
• Astra - Automated Security Testing For REST API's
• AuthMatrix - A Burp Suite Extension That Provides A Simple Way To Test Authorization
• B-XSSRF - Toolkit To Detect And Keep Track On Blind XSS, XXE And SSRF
• BWASP - BoB Web Application Security Project
• Bantam - A PHP Backdoor Management And Generation tool/C2 Featuring End To End Encrypted Payload Streaming Designed To Bypass WAF, IDS, SIEM Systems
• Bashter - Web Crawler, Scanner, And Analyzer Framework
• BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations
• BlackDir-Framework - Web Application Vulnerability Scanner
• Blinder - A Python Library To Automate Time-Based Blind SQL Injection
• Bolt - CSRF Scanning Suite
• Burp Exporter - A Burp Suite Extension To Copy A Request To The Clipboard As Multiple Programming Languages Functions
• Burp-Dom-Scanner - Burp Suite's Extension To Scan And Crawl Single Page Applications
• BurpCrypto - A Collection Of Burpsuite Encryption Plug-Ins, Support AES/RSA/DES/ExecJs(execute JS Encryption Code In Burpsuite)
• BurpMetaFinder - Burp Suite Extension For Extracting Metadata From Files
• BurpSuite Random User-Agents - Burp Suite Extension For Generate A Random User-Agents
• Burpgpt - A Burp Suite Extension That Integrates OpenAI's GPT To Perform An Additional Passive Scan For Discovering Highly Bespoke Vulnerabilities, And Enables Running Traffic-Based Analysis Of Any Type
• Burpsuite-Copy-As-XMLHttpRequest - Copy As XMLHttpRequest BurpSuite Extension
• Bxss - A Blind XSS Injector Tool
• CATS - REST API Fuzzer And Negative Testing Tool For OpenAPI Endpoints
• CRLFMap - A Tool To Find HTTP Splitting Vulnerabilities
• CSRFER - Tool To Generate CSRF Payloads Based On Vulnerable Requests
• Cdb - Automate Common Chrome Debug Protocol Tasks To Help Debug Web Applications From The Command-Line And Actively Monitor And Intercept HTTP Requests And Responses
• Chameleon - Customizable Honeypots For Monitoring Network Traffic, Bots Activities And Username\Password Credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres And MySQL)
• CheckXSS - Detect XSS vulnerability in Web Applications
• CrackQL - GraphQL Password Brute-Force And Fuzzing Utility
• Crawlergo - A Powerful Browser Crawler For Web Vulnerability Scanners
• Cumulus - Web Application Weakness Monitoring, It Would Be Working By Add Just 3 Codelines
• Custom Header - Automatic Add New Header To Entire BurpSuite HTTP Requests
• DOMDig - DOM XSS Scanner For Single Page Applications
• DalFox (Finder Of XSS) - Parameter Analysis And XSS Scanning Tool Based On Golang
• Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application Is An Intentionally Vulnerable Implementation Of Facebook's GraphQL Technology, To Learn And Practice GraphQL Security
• Decider - A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework
• Domhttpx - A Google Search Engine Dorker With HTTP Toolkit Built With Python, Can Make It Easier For You To Find Many URLs/IPs At Once With Fast Time
• DotDotPwn - The Directory Traversal Fuzzer
• DumpsterFire - "Security Incidents In A Box!" A Modular, Menu-Driven, Cross-Platform Tool For Building Customized, Time-Delayed, Distributed Security Events
• EmailFinder - Search Emails From A Domain Through Search Engines
• Evine - Interactive CLI Web Crawler
• Extended-SSRF-Search - Smart SSRF Scanner Using Different Methods Like Parameter Brute Forcing In Post And Get...
• Extended-XSS-Search - Scans For Different Types Of XSS On A List Of URLs
• FDsploit - File Inclusion And Directory Traversal Fuzzing, Enumeration & Exploitation Tool
• FProbe - Take A List Of Domains/Subdomains And Probe For Working HTTP/HTTPS Server
• FTW - Framework For Testing WAFs
• Fawkes - Tool To Search For Targets Vulnerable To SQL Injection (Performs The Search Using Google Search Engine)
• Femida - Automated Blind-Xss Search For Burp Suite
• FinDOM-XSS - A Fast DOM Based XSS Vulnerability Scanner With Simplicity
• FinalRecon - OSINT Tool For All-In-One Web Reconnaissance
• FinalRecon - The Last Web Recon Tool You'll Need
• FinalRecon v1.0.2 - OSINT Tool For All-In-One Web Reconnaissance
• FinalRecon v1.1.0 - The Last Web Recon Tool You'll Need
• FireProx - AWS API Gateway Management Tool For Creating On The Fly HTTP Pass-Through Proxies For Unique IP Rotation
• Firefly - Black Box Fuzzer For Web Applications
• Forbidden - Bypass 4Xx HTTP Response Status Codes
• Garud - An Automation Tool That Scans Sub-Domains, Sub-Domain Takeover And Then Filters Out XSS, SSTI, SSRF And More Injection Point Parameters
• Generator-Burp-Extension - Everything You Need About Burp Extension Generation
• Ghauri - An Advanced Cross-Platform Tool That Automates The Process Of Detecting And Exploiting SQL Injection Security Flaws
• GitDump - A Pentesting Tool That Dumps The Source Code From .Git Even When The Directory Traversal Is Disabled
• Goreplay - Open-Source Tool For Capturing And Replaying Live HTTP Traffic Into A Test Environment In Order To Continuously Test Your System With Real Data
• Gospider - Fast Web Spider Written In Go
• Gotestwaf - Go Test WAF Is A Tool To Test Your WAF Detection Capabilities Against Different Types Of Attacks And By-Pass Techniques
• GraphCrawler - GraphQL Automated Security Testing Toolkit
• GraphQL Cop - Security Auditor Utility For GraphQL APIs
• GraphQLmap - A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes
• Graphicator - A GraphQL Enumeration And Extraction Tool
• Graphql-Threat-Matrix - GraphQL Threat Framework Used By Security Professionals To Research Security Gaps In GraphQL Implementations
• Graphw00F - GraphQL fingerprinting tool for GQL endpoints
• H2Buster - A Threaded, Recursive, Web Directory Brute-Force Scanner Over HTTP/2
• H2Csmuggler - HTTP Request Smuggling Over HTTP/2 Cleartext (H2C)
• HRShell - An Advanced HTTPS/HTTP Reverse Shell Built With Flask
• HTTP Asynchronous Reverse Shell - Asynchronous Reverse Shell Using The HTTP Protocol
• HTTP Bridge - Send TCP Stream Packets Over Simple HTTP Request
• HTTP Request Smuggler - Extension For Burp Suite Designed To Help You Launch HTTP Request Smuggling Attacks
• HTTP-revshell - Powershell Reverse Shell Using HTTP/S Protocol With AMSI Bypass And Proxy Aware
• HTTPLoot - An Automated Tool Which Can Simultaneously Crawl, Fill Forms, Trigger Error/Debug Pages And "Loot" Secrets Out Of The Client-Facing Code Of Sites
• HTTPS Everywhere - A Browser Extension That Encrypts Your Communications With Many Websites That Offer HTTPS But Still Allow Unencrypted Connections
• HTTPUploadExfil - A Simple HTTP Server For Exfiltrating Files/Data During, For Example, CTFs
• HTTrack Website Copier - Web Crawler And Offline Browser
• HaE - BurpSuite Highlighter And Extractor
• Hack-Tools - The All-In-One Red Team Extension For Web Pentester
• Hack-Tools v0.3.0 - The All-In-One Red Team Extension For Web Pentester
• Hakoriginfinder - Tool For Discovering The Origin Host Behind A Reverse Proxy. Useful For Bypassing Cloud WAFs!
• Hakrawler - Simple, Fast Web Crawler Designed For Easy, Quick Discovery Of Endpoints And Assets Within A Web Application
• Hetty - An HTTP Toolkit For Security Research
• Hoaxshell - An Unconventional Windows Reverse Shell, Currently Undetected By Microsoft Defender And Various Other AV Solutions, Solely Based On Http(S) Traffic
• Htcap - A Web Application Scanner Able To Crawl Single Page Application (SPA) In A Recursive Manner By Intercepting Ajax Calls And DOM Changes
• Http-Desync-Guardian - Analyze HTTP Requests To Minimize Risks Of HTTP Desync Attacks (Precursor For HTTP Request Smuggling/Splitting)
• Http-Protocol-Exfil - Exfiltrate Files Using The HTTP Protocol Version ("HTTP/1.0" Is A 0 And "HTTP/1.1" Is A 1)
• Http-Request-Smuggling - HTTP Request Smuggling Detection Tool
• Http2Smugl - Tool to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion
• HttpDoom - A Tool For Response-Based Inspection Of Websites Across A Large Amount Of Hosts For Quickly Gaining An Overview Of HTTP-based Attack Surface
• Httpgrep - Scans HTTP Servers To Find Given Strings In URIs
• Httpx - A Fast And Multi-Purpose HTTP Toolkit Allows To Run Multiple Probers Using Retryablehttp Library, It Is Designed To Maintain The Result Reliability With Increased Threads
• IPRotate - Extension For Burp Suite Which Uses AWS API Gateway To Rotate Your IP On Every Request
• InQL - A Burp Extension For GraphQL Security Testing
• InQL Scanner - A Burp Extension For GraphQL Security Testing
• Ipsourcebypass - This Python Script Can Be Used To Bypass IP Source Restrictions Using HTTP Headers
• JSshell - A JavaScript Reverse Shell For Exploiting XSS Remotely Or Finding Blind XSS, Working With Both Unix And Windows OS
• Jaeles v0.4 - The Swiss Army Knife For Automated Web Application Testing
• Jaeles v0.9 - The Swiss Army Knife For Automated Web Application Testing
• Jatayu - Stealthy Stand Alone PHP Web Shell
• Jeeves - Time-Based Blind SQLInjection Finder
• Jok3R - Network And Web Pentest Framework
• Kirjuri - Web Application For Managing Cases And Physical Forensic Evidence Items
• Klyda - Highly Configurable Script For Dictionary/Spray Attacks Against Online Web Applications
• Konan - Advanced Web Application Dir Scanner
• Kubesploit - A Cross-Platform Post-Exploitation HTTP/2 Command And Control Server And Agent Written In Golang
• LazyCSRF - A More Useful CSRF PoC Generator
• Lfi-Space - LFI Scan Tool
• Lfi-Space - LFI Scan Tool
• Libinjection - SQL / SQLI Tokenizer Parser Analyzer
• LightMe - HTTP Server Serving Obfuscated Powershell Scripts/Payloads
• Lorsrf - SSRF Parameter Bruteforce
• MITM_Intercept - A Little Bit Less Hackish Way To Intercept And Modify non-HTTP Protocols Through Burp And Others
• MSSQLi-DUET - SQL Injection Script For MSSQL That Extracts Domain Users From An Active Directory Environment Based On RID Bruteforcing
• Mallory - HTTP/HTTPS Proxy Over SSH
• Metabadger - Prevent SSRF Attacks On AWS EC2 Via Automated Upgrades To The More Secure Instance Metadata Service V2 (IMDSv2)
• Metlo - An Open-Source API Security Platform
• Metlo - An Open-Source API Security Platform
• Mitmproxy2Swagger - Automagically Reverse-Engineer REST APIs Via Capturing Traffic
• Monsoon - Fast HTTP Enumerator
• NAXSI - An Open-Source, High Performance, Low Rules Maintenance WAF For NGINX
• NGWAF - First Iteration Of ML Based Feedback WAF
• NTLMRecon - A Tool For Performing Light Brute-Forcing Of HTTP Servers To Identify Commonly Accessible NTLM Authentication Endpoints
• NTLMRecon - A Tool For Performing Light Brute-Forcing Of HTTP Servers To Identify Commonly Accessible NTLM Authentication Endpoints
• Ninjasworkout - Vulnerable NodeJS Web Application
• NoSQLi - NoSql Injection CLI Tool
• Nuclei-Burp-Plugin - Nuclei Plugin For BurpSuite
• OWASP ASST (Automated Software Security Toolkit) - A Novel Open Source Web Security Scanner
• OWASP Coraza WAF - A Golang Modsecurity Compatible Web Application Firewall Library
• Octopus WAF - Web Application Firewall Made In C Language And Use Libevent
• Oh365UserFinder - Python3 O365 User Enumeration Tool
• PCWT - A Web Application That Makes It Easy To Run Your Pentest And Bug Bounty Projects
• Pathprober - Probe And Discover HTTP Pathname Using Brute-Force Methodology And Filtered By Specific Word Or 2 Words At Once
• PayloadsAllTheThings - A List Of Useful Payloads And Bypass For Web Application Security And Pentest/CTF
• Pivotnacci - A Tool To Make Socks Connections Through HTTP Agents
• Ppmap - A Scanner/Exploitation Tool Written In GO, Which Leverages Prototype Pollution To XSS By Exploiting Known Gadgets
• Progress-Burp - Burp Suite Extension To Track Vulnerability Assessment Progress
• Proxify - Swiss Army Knife Proxy Tool For HTTP/HTTPS Traffic Capture, Manipulation, And Replay On The Go
• PwnXSS - Vulnerability XSS Scanner Exploit
• Pwndrop - Self-Deployable File Hosting Service For Red Teamers, Allowing To Easily Upload And Share Payloads Over HTTP And WebDAV
• Py3Webfuzz - A Python3 Module To Assist In Fuzzing Web Applications
• Quarantyne - Modern Web Firewall: Stop Account Takeovers, Weak Passwords, Cloud IPs, DoS Attacks, Disposable Emails
• RESTler - The First Stateful REST API Fuzzing Tool For Automatically Testing Cloud Services Through Their REST APIs And Finding Security And Reliability Bugs In These Services
• REcollapse Is A Helper Tool For Black-Box Regex Fuzzing To Bypass Validations And Discover Normalizations In Web Applications
• REcollapse Is A Helper Tool For Black-Box Regex Fuzzing To Bypass Validations And Discover Normalizations In Web Applications
• Raptor WAF v0.6 - Web Application Firewall using DFA
• Re2Pcap - Create PCAP file from raw HTTP request or response in seconds
• ReconAIzer - A Burp Suite Extension To Add OpenAI (GPT) On Burp And Help You With Your Bug Bounty Recon To Discover Endpoints, Params, URLs, Subdomains And More!
• ReconNote - Web Application Security Automation Framework Which Recons The Target For Various Assets To Maximize The Attack Surface For Security Professionals & Bug-Hunters
• Recox - Master Script For Web Reconnaissance
• Request_Smuggler - Http Request Smuggling Vulnerability Scanner
• SQL Injection Payload List
• SQLMap v1.3 - Automatic SQL Injection And Database Takeover Tool
• SQLMap v1.3.10 - Automatic SQL Injection And Database Takeover Tool
• SQLMap v1.3.7 - Automatic SQL Injection And Database Takeover Tool
• SQLMap v1.3.8 - Automatic SQL Injection And Database Takeover Tool
• SQLMap v1.4 - Automatic SQL Injection And Database Takeover Tool
• SQLMap v1.4.9 - Automatic SQL Injection And Database Takeover Tool
• SQLbit - Just Another Script For Automatize Boolean-Based Blind SQL Injections
• SQLiDetector - Helps You To Detect SQL Injection "Error Based" By Sending Multiple Requests With 14 Payloads And Checking For 152 Regex Patterns For Different Databases
• SSRF Sheriff - A Simple SSRF-testing Sheriff Written In Go
• SSRF-King - SSRF Plugin For Burp Automates SSRF Detection In All Of The Request
• SSRFire - An Automated SSRF Finder. Just Give The Domain Name And Your Server And Chill! Also Has Options To Find XSS And Open Redirects
• SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool
• SSRFuzz - A Tool To Find Server Side Request Forgery Vulnerabilities, With CRLF Chaining Capabilities
• ScanQLi - Scanner To Detect SQL Injection Vulnerabilities
• Scanner-and-Patcher - A Web Vulnerability Scanner And Patcher
• Scant3R - Web Security Scanner
• SecLists - A Collection Of Multiple Types Of Lists Used During Security Assessments, Collected In One Place (Usernames, Passwords, URLs, Sensitive Data Patterns, Fuzzing Payloads, Web Shells, And Many More)
• See-SURF - Python Based Scanner To Find Potential SSRF Parameters
• Self-XSS - Self-XSS Attack Using Bit.Ly To Grab Cookies Tricking Users Into Running Malicious Code
• SharpWebServer - HTTP And WebDAV Server With Net-NTLM Hashes Capture Functionality
• Shellsum - A Defense Tool - Detect Web Shells In Local Directories Via Md5Sum
• Sigurlfind3R - A Reconnaissance Tool, It Fetches URLs From AlienVault's OTX, Common Crawl, URLScan, Github And The Wayback Machine
• Sigurlx - A Web Application Attack Surface Mapping Tool
• Sish - HTTP(S)/WS(S)/TCP Tunnels To Localhost Using Only SSH
• Sitadel - Web Application Security Scanner
• Smuggler - An HTTP Request Smuggling / Desync Testing Tool
• SocialFish v2 - Educational Phishing Tool & Information Collector
• SourceLeakHacker - A Multi Threads Web Application Source Leak Scanner
• SpiderSuite - Advance Web Spider/Crawler For Cyber Security Professionals
• SpiderSuite - Advance Web Spider/Crawler For Cyber Security Professionals
• Swurg - Parse OpenAPI Documents Into Burp Suite For Automating OpenAPI-based APIs Security Assessments
• T-Reqs-HTTP-Fuzzer - A Grammar-Based HTTP Fuzzer
• TIWAP - Totally Insecure Web Application Project
• Tachyon - Fast HTTP Dead File Finder
• TeaBreak - A Productivity Burp Extension Which Reminds To Take Break While You Are At Work!
• Teler - Real-time HTTP Intrusion Detection
• Teler-Waf - A Go HTTP Middleware That Provides Teler IDS Functionality To Protect Against Web-Based Attacks And Improve The Security Of Go-based Web Applications
• Teler-Waf - A Go HTTP Middleware That Provides Teler IDS Functionality To Protect Against Web-Based Attacks And Improve The Security Of Go-based Web Applications
• Tishna - Complete Automated Pentest Framework For Servers, Application Layer To Web Security
• Toxssin - An XSS Exploitation Command-Line Interface And Payload Generator
• Traxss - Automated XSS Vulnerability Scanner
• Turbo-Intruder - A Burp Suite Extension For Sending Large Numbers Of HTTP Requests And Analyzing The Results
• UBoat - HTTP Botnet Project
• VAmPI - Vulnerable REST API With OWASP Top 10 Vulnerabilities For Security Testing
• Vailyn - A Phased, Evasive Path Traversal + LFI Scanning & Exploitation Tool In Python
• Vimana - An Experimental Security Framework That Aims To Provide Resources For Auditing Python Web Applications
• VuCSA - Vulnerable Client-Server Application - Made For Learning/Presenting How To Perform Penetration Tests Of Non-Http Thick Clients
• VulFi - Plugin To IDA Pro Which Can Be Used To Assist During Bug Hunting In Binaries
• Vulmap - Web Vulnerability Scanning And Verification Tools
• VulnLab - A Web Vulnerability Lab Project
• WAF-A-MoLE - A Guided Mutation-Based Fuzzer For ML-based Web Application Firewalls
• WAFW00F v1.0.0 - Detect All The Web Application Firewall!
• WAFW00F v2.0 - Allows One To Identify And Fingerprint Web Application Firewall (WAF) Products Protecting A Website
• WSVuls - Website Vulnerability Scanner Detect Issues (Outdated Server Software And Insecure HTTP Headers)
• Waf-Bypass - Check Your WAF Before An Attacker Does
• Wafaray - Enhance Your Malware Detection With WAF + YARA (WAFARAY)
• Web-Hacking-Playground - Web Application With Vulnerabilities Found In Real Cases, Both In Pentests And In Bug Bounty Programs
• Webshell-Analyzer - Web Shell Scanner And Analyzer
• WhatWeb v0.5.0 - Next Generation Web Scanner
• Wifi_Db - Script To Parse Aircrack-ng Captures To A SQLite Database
• Wsh - Web Shell Generator And Command Line Interface
• XIP - Tool To Generate A List Of IP Addresses By Applying A Set Of Transformations Used To Bypass Security Measures E.G. Blacklist Filtering, WAF, Etc.
• XML External Entity (XXE) Injection Payload List
• XORpass - Encoder To Bypass WAF Filters Using XOR Operations
• XSS-Exploitation-Tool - An XSS Exploitation Tool
• XSS-Freak - An XSS Scanner Fully Written In Python3 From Scratch
• XSS-LOADER - XSS Payload Generator / XSS Scanner / XSS Dork Finder
• XSS-Scanner - XSS Scanner That Detects Cross-Site Scripting Vulnerabilities In Website By Injecting Malicious Scripts
• XSSCon - Simple XSS Scanner Tool
• XSSTRON - Electron JS Browser To Find XSS Vulnerabilities Automatically
• XSStrike v3.1.4 - Most Advanced XSS Detection Suite
• XSpear - Powerfull XSS Scanning And Parameter Analysis Tool
• XSpear v1.3 - Powerfull XSS Scanning And Parameter Analysis Tool
• XXExploiter - Tool To Help Exploit XXE Vulnerabilities
• XanXSS - A Simple XSS Finding Tool
• Xss_Vulnerability_Challenges - This Repository Is A Docker Containing Some "XSS Vulnerability" Challenges And Bypass Examples
• Xssizer - The Best Tool To Find And Prove XSS Flaws
• Zeebsploit - Web Scanner / Exploitation / Information Gathering
• Zeebsploit - Web Scanner / Exploitation / Information Gathering
• autoSSRF - Smart Context-Based SSRF Vulnerabiltiy Scanner
• debugHunter - Discover Hidden Debugging Parameters And Uncover Web Application Secrets
• defenselessV1 - Just Another Vulnerable Web Application
• ezXSS - An Easy Way For Penetration Testers And Bug Bounty Hunters To Test (Blind) Cross Site Scripting
• goDoH - A DNS-over-HTTPS C2
• identYwaf - Blind WAF Identification Tool
• pFuzz - Helps Us To Bypass Web Application Firewall By Using Different Methods At The Same Time
• reNgine - An Automated Reconnaissance Framework Meant For Gathering Information During Penetration Testing Of Web Applications
• uDork - Tool That Uses Advanced Google Search Techniques To Obtain Sensitive Information In Files Or Directories, Find IoT Devices, Detect Versions Of Web Applications, And So On