Tools Vulnerability Assessment And Penetration Testing


Acunetix Web Vulnerability Scanner


1. AcuSensor Technology
2. An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
3. Industries' most advanced and in-depth SQL injection and Cross site scripting testing.
4. Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer.
5. Visual macro recorder makes testing web forms and password protected areas easy
6. Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
7. Extensive reporting facilities including VISA PCI compliance reports.
8.Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease.
9. Intelligent crawler detects web server type and application language.
11. Acunetix crawls and analyzes websites including flash content, SOAP and AJAX.
12. Port scans a web server and runs security checks against network services running on the server.

Burp Suite Free Edition v1.4 –Web Application Security Testing Tool

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

ZAProxy v1.3.0 – Integrated Penetration Testing Tool

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Main Features

Intercepting Proxy, Automated scanner,  Passive scanner, Brute Force, scanner, Spider, Fuzzer, Port scanner, Dynamic SSL certificates, API, Beanshell integration.


FIMAP is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.

Web Application Attack and Audit Framework

W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins
New Features:
-Considerably increased performance by implementing gzip encoding
-Enhanced embedded bug report system using Trac's XMLRPC
-Fixed hundreds of bugs * Fixed critical bug in auto-update feature
-Enhanced integration with other tools (bug fixed and added more info to the file)

WebSploit Toolkit V 1.6

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability
Description :
Autopwn - Used From Metasploit For Scan and Exploit Target Service
wmap - Scan,Crawler Target Used From Metasploit wmap plugin
format infector - inject reverse & bind payload into file format
phpmyadmin - Search Target phpmyadmin login page
lfi - Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
apache users - search server username directory (if use from apache webserver)
Dir Bruter - brute target directory with wordlist
admin finder - search admin & login page of target
MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
MITM - Man In The Middle Attack
Java Applet Attack - Java Signed Applet Attack
MFOD Attack Vector - Middle Finger Of Doom Attack Vector
USB Infection Attack - Create Executable Backdoor For Infect USB For Windows

Penetration Testing Oriented Browser - Sandcat Browser

Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web browser with extensions support developed by the Syhunt team,

Live HTTP Headers, Request Editor extension,
Fuzzer extension with multiple modes and support for filters,
JavaScript Executor extension which allows you to load and run external      JavaScript files,
Lua Executor extension -- allows you to load and run external Lua scripts
Syhunt Gelo, HTTP Brute Force, CGI Scanner scripts and more.

PHP Vulnerability Hunter v. - Automated fuzz testing tool

This is the application that detected almost all of the web application vulnerabilities listed on the advisories page. PHP Vulnerability Hunter is an advanced automated whitebox fuzz testing tool capable of triggering a wide range of exploitable faults in PHP web applications. Minimal configuration is necessary to begin a scan; PHP Vulnerability Hunter doesn’t even need a user specified starting URI.
Updated GUI validation
Several instrumentation fixes
Fixed lingering connection issue
Fixed GUI and report viewer crashes related to working directory

INSECT Pro 2.7 - Ultimate is here! This penetration security auditing and testing software solutionis designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications. This is a partial list of the major changes implanted in version 2.7

- Available targets now has a sub menu under right-click button
- Check update function added in order to verify current version
- Threading support for GET request
- Module log added and functional
- Sniffer support added
- 50 Remote exploits added
- Project saved on user land - Application Data special folder
- Executed module windows added and functionality for it
- Agent Connect now use telnet lib

OWASP Zed Attack Proxy (ZAP) v.1.3.2 Released

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Some of ZAP 's features:

Intercepting Proxy
Automated scanner
Passive scanner
Brute Force scanner
Port scanner
Dynamic SSL certificates
Beanshell integration

Uniscan 4.0 vulnerability scanner Released

The Uniscan vulnerability scanner is aimed at information security, which aims at
finding vulnerabilities in Web systems and is licensed under the GNU GENERAL
PUBLIC LICENSE 3.0 (GPL 3). The Uniscan was developed using the Perl
programming language to be easier to work with text, has an easy to use regular expressions and is also multi-threaded.

Uniscan Features

    Identification of system pages through a Web Crawler.
    Use of threads in the crawler.
    Control the maximum number of requests the crawler.
    Control of variation of system pages identified by Web Crawler.
    Control of file extensions that are ignored.
    Test of pages found via the GET method.
    Test the forms found via the POST method.
    Support for SSL requests (HTTPS).
    Proxy support.

IBM Rational AppScan

IBM Rational AppScan is a family of web security testing and monitoring tools from the Rational Software division of IBM. AppScan is intended to test Web applications for security vulnerabilities during the development process, when it is least expensive to fix such problems. The product learns the behavior of each application, whether an off-the-shelf application or internally developed, and develops a program intended to test all of its functions for both common and application-specific vulnerabilities.


AppScan Standard Edition - Desktop software for automated Web application security testing environment for IT Security, auditors, and penetration testers

AppScan Tester Edition - An edition that integrates with IBM Rational Quality Manager to form a security testing QA environment

AppScan Build Edition - A version that embeds web application security testing into the build management workflow

AppScan Enterprise Edition - Client-server version used to scale security testing.

AppScan OnDemand - Identifies and prioritizes Web Application Security vulnerabilities via SaaS Model

AppScan OnDemand Production Site Monitoring - Monitors production Web content and sites for security vulnerabilities via SaaS Model

AppScan Source Edition - Prevent data breaches by locating security flaws in the source code

AppScan Reporting Console - Reporting add-on

Paros - for web application security assessment     

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

We hope you can benefit from our work and products.

If you want to support our project or obtain formal support from us, please check out the product MileSCAN ParosPro, which is further developed by our core team member and supported by us as well.

Please Donate

RSS Feeds


Copyright © 2024 All Rights Reserved.
Google+ Click to listen highlighted text! Powered By GSpeech