Penetration testing commands for Web Application Exploitation
Web application exploitation deals with discovering and taking advantage of vulnerabilities within web applications, covering areas such as SQL injection, cross-site scripting (XSS), and authentication bypass.
| Name | Description | Price |
|---|---|---|
| 0d1n | Automate customized attacks against web applications | Free |
| 1u.ms | zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities | Free |
| 230-OOB | FTP server for OOB XXE attacks | Free |
| Acunetix | Web application security scanner | Paid |
| Afuzz | Web directory and file scanner (wordlist bruteforce) | Free |
| altair | Modular web vulnerability scanner | Free |
| API-fuzzer | Library to fuzz request attributes using common pentesting techniques and lists vulnerabilities | Free |
| Aquatone | Domain flyover tool; visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface | Free |
| Arachni | Web application security scanner framework | Free |
| Arjun | HTTP parameter discovery suite | Free |
| AssassinGo | Web pentest framework for information gathering and vulnerability scanning | Free |
| Astra | REST API penetration testing tool | Free |
| Atlas | Tool that suggests sqlmap tampers to bypass WAF/IDS/IPS based on status codes | Free |
| b374k | Webshell with many features: file manager, search, command execution, DB connection, SQL explorer, process list | Free |
| badsecrets | A library for detecting known or weak cryptographic secrets across many web frameworks | Free |
| BaRMIe | Java RMI enumeration and attack tool | Free |
| Beeceptor | HTTP request collector and inspector | Paid |
| BFAC | Backup File Artifacts Checker; automated backup artifacts checker | Free |
| Blazy | Login page bruteforcer: CSRF, SQLi, Clickjacking, WAF detection | Free |
| Burp Suite | Intercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists) | Paid |
| Caido | Intercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists) | Paid |
| Cansina | Web directory and file scanner (wordlist bruteforce) | Free |
| Chankro | Tool to bypass disable_functions and open_basedir in PHP by calling sendmail and setting LD_PRELOAD environment variable | Free |
| Charles | Intercepting proxy to replay, inject, scan and fuzz HTTP requests | Paid |
| ChopChop | Web application security scanner based on templates | Free |
| clairvoyance | Obtain GraphQL API schema even if the introspection is disabled by abusing the "did you mean" feature | Free |
| CloudFrunt | Scanner to identify misconfigured CloudFront domains | Free |
| CMSeek | CMS detection and exploitation suite; capable of detecting more than 180 CMS | Free |
| CMSmap | WordPress, Joomla, Drupal, Moodle CMS security scanner | Free |
| CMSScan | Wordpress, Drupal, Joomla, vBulletin CMS security scanner with dashboard | Free |
| commix | Web-based command injection tester | Free |
| CrackQL | GraphQL password brute-force and fuzzing utility | Free |
| CSP Evaluator | Check Content Security Policy (CSP) configuration and assists with the reviewing process | Free |
| CSPass | Test for CSP bypass payloads | Free |
| CSWSH | Cross-Site WebSocket Hijacking Tester | Free |
| Dalfox | XSS scanner and utility focused on automation | Free |
| dirb | Web directory and file scanner (wordlist bruteforce) | Free |
| dirbuster | Web directory and file scanner (wordlist bruteforce) | Free |
| dirsearch | Web directory and file scanner (wordlist bruteforce) | Free |
| distributed-jwt-cracker | HS256 JWT token distributed brute force cracker | Free |
| docem | Uility to embed XXE and XSS payloads in docx, odt, pptx, etc | Free |
| DotDotPwn | Directory Traversal fuzzer | Free |
| DotGit | Web browser extension (Firefox and CHromium) checking if .git is exposed in visited websites | Free |
| droopescan | CMS scanner supporting SilverStripe and Wordpress, having partial support for Joomla, Moodle, Drupal | Free |
| drupwn | Drupal CMS enumeration and exploitation tool | Free |
| dtd-finder | Identify DTDs on filesystem snapshot and build XXE payloads using those local DTDs | Free |
| DVCS-Pillage | Dump web accessible (distributed) version control systems (DVCS/VCS): GIT, Mercurial/hg, Bazaar/bzr, … | Free |
| dvcs-ripper | Dump web accessible (distributed) version control systems (DVCS/VCS): SVN, GIT, Mercurial/hg, Bazaar/bzr, … | Free |
| Enemies Of Symfony | Loots information from a Symfony target using profiler | Free |
| Eyeballer | Convolutional neural network for analyzing pentest screenshots and automatically label them | Free |
| EyeWitness | Take screenshots of websites, provide some server header info, and identify default credentials if possible | Free |
| Fav-up | Favicon fingerprinting using Shodan | Free |
| FavFreak | Favicon fingerprinting | Free |
| Favinizer | Favicon fingerprinting | Free |
| feroxbuster | Web directory and file scanner (wordlist bruteforce) | Free |
| ffuf | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
| Fingerprinter | CMS version detection tool | Free |
| Firefly | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
| Flask Session Cookie Decoder/Encoder | A script that let you encode and decode a Flask session cookie | Free |
| FockCache | Test Cache Poisoning | Free |
| Fuxi | Penetration testing platform, automate some scan & attack | Free |
| fuxploider | Automates the process of detecting and exploiting file upload forms flaws | Free |
| Fuzzapi | Web-UI for API-fuzzer | Free |
| Ghauri | Automatic SQL injection and database takeover; inspired by SQLmap | Free |
| git-dump | Dump the contents of a remote git repository without directory listing enabled | Free |
| git-dumper | Dump the contents of a remote git repository without directory listing enabled | Free |
| GitTools | 3 tools: Finder (find websites with .git repository exposed), Dumper (dump exposed .git), Extractor (extract commits and their content from a broken repository) | Free |
| Gobuster | Web directory, file and DNS scanner (wordlist bruteforce) | Free |
| gofingerprint | Indentify web servers by checking their HTTP responses against a user defined list of fingerprints | Free |
| goop | Dump the contents of a remote git repository without directory listing enabled; focus on as-complete-as-possible dumps and handling as many edge-cases as possible | Free |
| Gopherus | Generates gopher link for exploiting SSRF and gaining RCE access from unprotected services | Free |
| gowitness | Take screenshots of websites | Free |
| GraphCrawler | GraphQL automated security testing | Free |
| Graphicator | GraphQL enumeration and extraction | Free |
| Graphinder | GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce | Free |
| GraphMan | Scaffold a postman collection for a GraphQL API; compatible with Postman and Insomnia | Free |
| GraphQL Cop | Run common security tests against GraphQL | Free |
| GraphQL Voyager | Represent any GraphQL API as an interactive graph | Free |
| graphql-path-enum | Lists the different ways of reaching a given type in a GraphQL schema | Free |
| graphql.security | Runs a dozen of security checks against a given GraphQL endpoint | Free |
| GraphQLmap | Scripting engine to interact with a graphql endpoint for pentesting purposes | Free |
| graphw00f | GraphQL server engine fingerprinting | Free |
| Guppy Proxy | GUI HTTP intercepting proxy based on Pappy Proxy | Free |
| headerpwn | Fuzzer for analyzing how servers respond to different HTTP headers | Free |
| Hetty | HTTP toolkit for security research; alternative to BurpSuite | Free |
| Hookbin | HTTP request collector and inspector | Free |
| http-garden | Differential testing and fuzzing of HTTP servers and proxies | Free |
| httpscreenshot | Take screenshots of websites | Free |
| httpx | Multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads | Free |
| HUNT | HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions | Free |
| InQL | GraphQL security audit | Free |
| Interactsh | HTTP request collector and inspector; OOB interaction gathering server and client library; DNS / HTTP / SMTP interaction support | Free |
| Intrigue Core | Framework for discovering attack surface | Free |
| IronWASP | Web security/vulnerability scanner (native for Windows only) | Free |
| Jaeles | Framework for building your own Web Application Scanner | Free |
| JAST | Take screenshots of websites | Free |
| JSONBee | JSONP endpoints/payloads to help bypass content security policy of different websites | Free |
| JWT cracker | Multi-threaded JWT brute-force cracker | Free |
| jwt_tool | A toolkit for validating, forging and cracking JWT tokens | Free |
| jwt-cracker | HS256 JWT token brute force cracker | Free |
| jwt-hack | A toolkit for JWT tokens security testing | Free |
| jwtcat | JWT brute-force cracker | Free |
| Kadimus | LFI, RFI, RCE scanner | Free |
| Katana | Crawling and spidering framework, supporting headless mode, JavaScript, customizable automatic form filling and scope control | Free |
| Kraken | Modular multi-language webshell focused on web post-exploitation and defense evasion; supports PHP, JSP and ASPX | Free |
| LFI Freak | LFI scan and exploit tool | Free |
| LFI Suite | Automatic LFI scanner and exploiter | Free |
| Liffy | LFI exploitation tool | Free |
| LightBulb | Framework for auditing web application firewalls and filters | Free |
| LinkFinder | Find URL endpoints and their parameters in JavaScript files | Free |
| Lulzbuster | Web directory and file scanner (wordlist bruteforce) | Free |
| Malzilla | Web oriented deobfuscating tool | Free |
| mitmproxy | Interactive HTTPS proxy | Free |
| Mockbin | HTTP request collector and inspector | Free |
| monsoon | Web directory and file scanner (wordlist bruteforce) | Free |
| MyJWT | A toolkit for signing, forging and cracking JWT tokens | Free |
| Netsparker | Web application security scanner | Paid |
| nikto | Very light web security scanner | Free |
| Nosql-Exploitation-Framework | NoSQL scanning and exploitation framework | Free |
| NoSQLMap | Automated NoSQL database enumeration and web application exploitation tool | Free |
| NtHiM | Now, the Host is Mine!; sub-domain takeover detection | Free |
| Nuclei | Web application security scanner based on templates | Free |
| otori | On The Outside, Reaching In, exploitation toolbox for XXE attacks | Free |
| OWASP JoomScan | Joomla vulnerability scanner | Free |
| OWASP ZAP | OWASP Zed Attack Proxy, intercepting proxy to replay, inject, scan and fuzz HTTP requests | Free |
| oxml_xxe | Tool for embedding XXE/XML exploits into different filetypes (docx/xlsx, odt/ods, svg, xml, etc.) | Free |
| Panoptic | Automatic LFI and Path Traversal exploitation tool | Free |
| Pappy Proxy | Proxy Attack Proxy ProxY, HTTP intercepting proxy | Free |
| parameth | HTTP parameter discovery suite | Free |
| ParamSpider | Finds parameters from web archives of the entered domain | Free |
| Paros | Intercepting proxy to replay, inject, scan and fuzz HTTP requests | Free |
| PeepingTom | Take screenshots of websites | Free |
| PHPGGC | PHP Generic Gadget Chains, library of unserialize() payloads along with a tool to generate them, supporting various PHP frameworks | Free |
| Pinkerton | Crawl JavaScript file to find secret | Free |
| Portswigger Labs Inspector | Javascript expression evaluator and inspector | Free |
| PowerUpSQL | Toolkit for attacking MS SQL Server, discovery, configuration auditing, privilege escalation, post exploitation | Free |
| ppfuzz | Scan for client-side prototype pollution | Free |
| pphack | Client-side prototype pollution scanner | Free |
| Rabid | CLI tool and library allowing to simply decode all kind of BigIP cookies | Free |
| Request Inspector | HTTP request collector and inspector | Free |
| RequestBin | HTTP request collector and inspector | Free |
| RequestCatcher | HTTP request collector and inspector | Free |
| Retire.js | Scanner detecting the use of JavaScript libraries with known vulnerabilities | Free |
| Rogue JNDI | A malicious LDAP server for JNDI injection attacks | Free |
| ronin-vulns | Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects | Free |
| rustbuster | Web directory, file and DNS scanner (wordlist bruteforce); but also a web fuzzer | Free |
| Scout | Web directory and file scanner (wordlist bruteforce) | Free |
| secureCodeBox | Continuous security scans based on kubernetes; orchestrate and automate a bunch of security-testing tools | Free |
| See-SURF | SSRF scanner to find entry points | Free |
| Session Hijacking Visual Exploitation | Hijack user sessions by injecting malicious JavaScript code | Free |
| ShapeShifter | GraphQL schema extraction to JSON file with introspection | Free |
| Simple Local File Inclusion Exploiter | LFI exploit tool | Free |
| Sitadel | Web application security scanner, rewrite and newer version of WAScan | Free |
| sj | Swagger Jacker; audit API endpoints defined in exposed (Swagger/OpenAPI) definition files | Free |
| SleuthQL | Tool that parses Burp history to discover potential SQL injection points and prepare SQLmap request files | Free |
| Smuggler | HTTP request smuggling, desync testing | Free |
| snallygaster | Web scanner that looks for files accessible on web servers that shouldn't be public | Free |
| spidr | Web spidering library that can spider a site, multiple domains, certain links or infinitely | Free |
| SqliSniper | Time-based blind SQL injection fuzzer for HTTP headers | Free |
| SQLiv | SQL injection scanner, find vulnerable entry points | Free |
| sqlmap | Automatic SQL injection and database takeover | Free |
| ssllabs-scan | CLI reference-implementation client for Qualys SSL Labs APIs, designed for automated and/or bulk testing | Free |
| sslscan2 | Tests SSL/TLS enabled services to discover supported cipher suites | Free |
| SSLyze | SSL analysis library and a CLI tools | Free |
| SSRF Proxy | Facilitates tunneling HTTP communications through servers vulnerable to SSRF | Free |
| SSRF Sheriff | Genereate custom endpoint to test SSRF; support any HTTP method, content-specific responses, configurable secret token | Free |
| SSRFmap | Automatic SSRF fuzzer and exploitation tool | Free |
| STEWS | Security Testing and Enumeration of WebSockets; tool suite for security testing WebSockets: discover endpoints, fingerprint server, detect vulnerabilities | Free |
| Surf | Escalate SSRF vulnerabilities on modern cloud environments, enumerate reachable hosts | Free |
| testssl.sh | TLS/SSL scanner to find weak ciphers, protocols or flaws | Free |
| TIDoS Framework | Comprehensive web-app audit framework | Free |
| TLS map | CLI & library for mapping TLS cipher algorithm names: IANA, OpenSSL, GnUTLS, NSS | Free |
| toxssin | XSS exploitation command-line interface and payload generator | Free |
| tplmap | SSTI and code injection detection and exploitation tool | Free |
| Tracy | Tool that help to manually find XSS | Free |
| TrashCompactor | Remove URLs with duplicate funcionality based on script resources included | Free |
| Typo3Scan | Enumerate Typo3 version and extensions | Free |
| Uniscan | RFI, LFi and RCE scanner | Free |
| V3n0M | Web dork and vulnerability scanner | Free |
| vaf | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
| Vega | Multi-platform web scanner and intercepting proxy | Free |
| VOOKI | Windows only web application and REST API vulnerability scanner | Free |
| w3af | Web application attack and audit framework, web-oriented security scanner | Free |
| WAFNinja | WAF bypassing tool | Free |
| wapiti | Web-oriented vulnerability scanner, can generates reports | Free |
| WappaGo | Web technologies detection; assemble different features from HTTPX, Naabu, GoWitness and Wappalyzer | Free |
| WAScan | Web application security scanner | Free |
| webanalyze | Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning | Free |
| Webhook Tester | HTTP request collector and inspector | Free |
| Weevely | Web shell for post-exploitation working with a PHP agent | Free |
| Wfuzz | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
| What CMS | Service able to detect more than 430 CMS, find version used for some CMS, has an API for batch detection | Free |
| WhatWeb | Web scanner, recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices, also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more; more than 1800 plugins | Free |
| wikto | Nikto for Windows; web security scanner | Free |
| WitnessMe | Take screenshots of websites, provide some server header info, and identify default credentials if possible | Free |
| WPScan | WordPress CMS vulnerability scanner | Free |
| wrapwrap | Generates a php://filter chain that adds a prefix and a suffix to the contents of a file | Free |
| WS-Attacker | Modular framework for SOAP web services penetration testing | Free |
| WSFuzzer | Fuzzing penetration testing tool for testing HTTP SOAP based web services | Free |
| wsrepl | Interactive websocket REPL designed specifically for penetration testing | Free |