Penetration testing commands for Web Application Exploitation

Web application exploitation deals with discovering and taking advantage of vulnerabilities within web applications, covering areas such as SQL injection, cross-site scripting (XSS), and authentication bypass.

NameDescriptionPrice
0d1nAutomate customized attacks against web applicationsFree
1u.mszero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilitiesFree
230-OOBFTP server for OOB XXE attacksFree
AcunetixWeb application security scannerPaid
AfuzzWeb directory and file scanner (wordlist bruteforce)Free
altairModular web vulnerability scannerFree
API-fuzzerLibrary to fuzz request attributes using common pentesting techniques and lists vulnerabilitiesFree
AquatoneDomain flyover tool; visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surfaceFree
ArachniWeb application security scanner frameworkFree
ArjunHTTP parameter discovery suiteFree
AssassinGoWeb pentest framework for information gathering and vulnerability scanningFree
AstraREST API penetration testing toolFree
AtlasTool that suggests sqlmap tampers to bypass WAF/IDS/IPS based on status codesFree
b374kWebshell with many features: file manager, search, command execution, DB connection, SQL explorer, process listFree
badsecretsA library for detecting known or weak cryptographic secrets across many web frameworksFree
BaRMIeJava RMI enumeration and attack toolFree
BeeceptorHTTP request collector and inspectorPaid
BFACBackup File Artifacts Checker; automated backup artifacts checkerFree
BlazyLogin page bruteforcer: CSRF, SQLi, Clickjacking, WAF detectionFree
Burp SuiteIntercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists)Paid
CaidoIntercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists)Paid
CansinaWeb directory and file scanner (wordlist bruteforce)Free
ChankroTool to bypass disable_functions and open_basedir in PHP by calling sendmail and setting LD_PRELOAD environment variableFree
CharlesIntercepting proxy to replay, inject, scan and fuzz HTTP requestsPaid
ChopChopWeb application security scanner based on templatesFree
clairvoyanceObtain GraphQL API schema even if the introspection is disabled by abusing the "did you mean" featureFree
CloudFruntScanner to identify misconfigured CloudFront domainsFree
CMSeekCMS detection and exploitation suite; capable of detecting more than 180 CMSFree
CMSmapWordPress, Joomla, Drupal, Moodle CMS security scannerFree
CMSScanWordpress, Drupal, Joomla, vBulletin CMS security scanner with dashboardFree
commixWeb-based command injection testerFree
CrackQLGraphQL password brute-force and fuzzing utilityFree
CSP EvaluatorCheck Content Security Policy (CSP) configuration and assists with the reviewing processFree
CSPassTest for CSP bypass payloadsFree
CSWSHCross-Site WebSocket Hijacking TesterFree
DalfoxXSS scanner and utility focused on automationFree
dirbWeb directory and file scanner (wordlist bruteforce)Free
dirbusterWeb directory and file scanner (wordlist bruteforce)Free
dirsearchWeb directory and file scanner (wordlist bruteforce)Free
distributed-jwt-crackerHS256 JWT token distributed brute force crackerFree
docemUility to embed XXE and XSS payloads in docx, odt, pptx, etcFree
DotDotPwnDirectory Traversal fuzzerFree
DotGitWeb browser extension (Firefox and CHromium) checking if .git is exposed in visited websitesFree
droopescanCMS scanner supporting SilverStripe and Wordpress, having partial support for Joomla, Moodle, DrupalFree
drupwnDrupal CMS enumeration and exploitation toolFree
dtd-finderIdentify DTDs on filesystem snapshot and build XXE payloads using those local DTDsFree
DVCS-PillageDump web accessible (distributed) version control systems (DVCS/VCS): GIT, Mercurial/hg, Bazaar/bzr, …Free
dvcs-ripperDump web accessible (distributed) version control systems (DVCS/VCS): SVN, GIT, Mercurial/hg, Bazaar/bzr, …Free
Enemies Of SymfonyLoots information from a Symfony target using profilerFree
EyeballerConvolutional neural network for analyzing pentest screenshots and automatically label themFree
EyeWitnessTake screenshots of websites, provide some server header info, and identify default credentials if possibleFree
Fav-upFavicon fingerprinting using ShodanFree
FavFreakFavicon fingerprintingFree
FavinizerFavicon fingerprintingFree
feroxbusterWeb directory and file scanner (wordlist bruteforce)Free
ffufWeb directory and file scanner (wordlist bruteforce); but also a web fuzzerFree
FingerprinterCMS version detection toolFree
FireflyWeb directory and file scanner (wordlist bruteforce); but also a web fuzzerFree
Flask Session Cookie Decoder/EncoderA script that let you encode and decode a Flask session cookieFree
FockCacheTest Cache PoisoningFree
FuxiPenetration testing platform, automate some scan & attackFree
fuxploiderAutomates the process of detecting and exploiting file upload forms flawsFree
FuzzapiWeb-UI for API-fuzzerFree
GhauriAutomatic SQL injection and database takeover; inspired by SQLmapFree
git-dumpDump the contents of a remote git repository without directory listing enabledFree
git-dumperDump the contents of a remote git repository without directory listing enabledFree
GitTools3 tools: Finder (find websites with .git repository exposed), Dumper (dump exposed .git), Extractor (extract commits and their content from a broken repository)Free
GobusterWeb directory, file and DNS scanner (wordlist bruteforce)Free
gofingerprintIndentify web servers by checking their HTTP responses against a user defined list of fingerprintsFree
goopDump the contents of a remote git repository without directory listing enabled; focus on as-complete-as-possible dumps and handling as many edge-cases as possibleFree
GopherusGenerates gopher link for exploiting SSRF and gaining RCE access from unprotected servicesFree
gowitnessTake screenshots of websitesFree
GraphCrawlerGraphQL automated security testingFree
GraphicatorGraphQL enumeration and extractionFree
GraphinderGraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforceFree
GraphManScaffold a postman collection for a GraphQL API; compatible with Postman and InsomniaFree
GraphQL CopRun common security tests against GraphQLFree
GraphQL VoyagerRepresent any GraphQL API as an interactive graphFree
graphql-path-enumLists the different ways of reaching a given type in a GraphQL schemaFree
graphql.securityRuns a dozen of security checks against a given GraphQL endpointFree
GraphQLmapScripting engine to interact with a graphql endpoint for pentesting purposesFree
graphw00fGraphQL server engine fingerprintingFree
Guppy ProxyGUI HTTP intercepting proxy based on Pappy ProxyFree
headerpwnFuzzer for analyzing how servers respond to different HTTP headersFree
HettyHTTP toolkit for security research; alternative to BurpSuiteFree
HookbinHTTP request collector and inspectorFree
http-gardenDifferential testing and fuzzing of HTTP servers and proxiesFree
httpscreenshotTake screenshots of websitesFree
httpxMulti-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threadsFree
HUNTHUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensionsFree
InQLGraphQL security auditFree
InteractshHTTP request collector and inspector; OOB interaction gathering server and client library; DNS / HTTP / SMTP interaction supportFree
Intrigue CoreFramework for discovering attack surfaceFree
IronWASPWeb security/vulnerability scanner (native for Windows only)Free
JaelesFramework for building your own Web Application ScannerFree
JASTTake screenshots of websitesFree
JSONBeeJSONP endpoints/payloads to help bypass content security policy of different websitesFree
JWT crackerMulti-threaded JWT brute-force crackerFree
jwt_toolA toolkit for validating, forging and cracking JWT tokensFree
jwt-crackerHS256 JWT token brute force crackerFree
jwt-hackA toolkit for JWT tokens security testingFree
jwtcatJWT brute-force crackerFree
KadimusLFI, RFI, RCE scannerFree
KatanaCrawling and spidering framework, supporting headless mode, JavaScript, customizable automatic form filling and scope controlFree
KrakenModular multi-language webshell focused on web post-exploitation and defense evasion; supports PHP, JSP and ASPXFree
LFI FreakLFI scan and exploit toolFree
LFI SuiteAutomatic LFI scanner and exploiterFree
LiffyLFI exploitation toolFree
LightBulbFramework for auditing web application firewalls and filtersFree
LinkFinderFind URL endpoints and their parameters in JavaScript filesFree
LulzbusterWeb directory and file scanner (wordlist bruteforce)Free
MalzillaWeb oriented deobfuscating toolFree
mitmproxyInteractive HTTPS proxyFree
MockbinHTTP request collector and inspectorFree
monsoonWeb directory and file scanner (wordlist bruteforce)Free
MyJWTA toolkit for signing, forging and cracking JWT tokensFree
NetsparkerWeb application security scannerPaid
niktoVery light web security scannerFree
Nosql-Exploitation-FrameworkNoSQL scanning and exploitation frameworkFree
NoSQLMapAutomated NoSQL database enumeration and web application exploitation toolFree
NtHiMNow, the Host is Mine!; sub-domain takeover detectionFree
NucleiWeb application security scanner based on templatesFree
otoriOn The Outside, Reaching In, exploitation toolbox for XXE attacksFree
OWASP JoomScanJoomla vulnerability scannerFree
OWASP ZAPOWASP Zed Attack Proxy, intercepting proxy to replay, inject, scan and fuzz HTTP requestsFree
oxml_xxeTool for embedding XXE/XML exploits into different filetypes (docx/xlsx, odt/ods, svg, xml, etc.)Free
PanopticAutomatic LFI and Path Traversal exploitation toolFree
Pappy ProxyProxy Attack Proxy ProxY, HTTP intercepting proxyFree
paramethHTTP parameter discovery suiteFree
ParamSpiderFinds parameters from web archives of the entered domainFree
ParosIntercepting proxy to replay, inject, scan and fuzz HTTP requestsFree
PeepingTomTake screenshots of websitesFree
PHPGGCPHP Generic Gadget Chains, library of unserialize() payloads along with a tool to generate them, supporting various PHP frameworksFree
PinkertonCrawl JavaScript file to find secretFree
Portswigger Labs InspectorJavascript expression evaluator and inspectorFree
PowerUpSQLToolkit for attacking MS SQL Server, discovery, configuration auditing, privilege escalation, post exploitationFree
ppfuzzScan for client-side prototype pollutionFree
pphackClient-side prototype pollution scannerFree
RabidCLI tool and library allowing to simply decode all kind of BigIP cookiesFree
Request InspectorHTTP request collector and inspectorFree
RequestBinHTTP request collector and inspectorFree
RequestCatcherHTTP request collector and inspectorFree
Retire.jsScanner detecting the use of JavaScript libraries with known vulnerabilitiesFree
Rogue JNDIA malicious LDAP server for JNDI injection attacksFree
ronin-vulnsTests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open RedirectsFree
rustbusterWeb directory, file and DNS scanner (wordlist bruteforce); but also a web fuzzerFree
ScoutWeb directory and file scanner (wordlist bruteforce)Free
secureCodeBoxContinuous security scans based on kubernetes; orchestrate and automate a bunch of security-testing toolsFree
See-SURFSSRF scanner to find entry pointsFree
Session Hijacking Visual ExploitationHijack user sessions by injecting malicious JavaScript codeFree
ShapeShifterGraphQL schema extraction to JSON file with introspectionFree
Simple Local File Inclusion ExploiterLFI exploit toolFree
SitadelWeb application security scanner, rewrite and newer version of WAScanFree
sjSwagger Jacker; audit API endpoints defined in exposed (Swagger/OpenAPI) definition filesFree
SleuthQLTool that parses Burp history to discover potential SQL injection points and prepare SQLmap request filesFree
SmugglerHTTP request smuggling, desync testingFree
snallygasterWeb scanner that looks for files accessible on web servers that shouldn't be publicFree
spidrWeb spidering library that can spider a site, multiple domains, certain links or infinitelyFree
SqliSniperTime-based blind SQL injection fuzzer for HTTP headersFree
SQLivSQL injection scanner, find vulnerable entry pointsFree
sqlmapAutomatic SQL injection and database takeoverFree
ssllabs-scanCLI reference-implementation client for Qualys SSL Labs APIs, designed for automated and/or bulk testingFree
sslscan2Tests SSL/TLS enabled services to discover supported cipher suitesFree
SSLyzeSSL analysis library and a CLI toolsFree
SSRF ProxyFacilitates tunneling HTTP communications through servers vulnerable to SSRFFree
SSRF SheriffGenereate custom endpoint to test SSRF; support any HTTP method, content-specific responses, configurable secret tokenFree
SSRFmapAutomatic SSRF fuzzer and exploitation toolFree
STEWSSecurity Testing and Enumeration of WebSockets; tool suite for security testing WebSockets: discover endpoints, fingerprint server, detect vulnerabilitiesFree
SurfEscalate SSRF vulnerabilities on modern cloud environments, enumerate reachable hostsFree
testssl.shTLS/SSL scanner to find weak ciphers, protocols or flawsFree
TIDoS FrameworkComprehensive web-app audit frameworkFree
TLS mapCLI & library for mapping TLS cipher algorithm names: IANA, OpenSSL, GnUTLS, NSSFree
toxssinXSS exploitation command-line interface and payload generatorFree
tplmapSSTI and code injection detection and exploitation toolFree
TracyTool that help to manually find XSSFree
TrashCompactorRemove URLs with duplicate funcionality based on script resources includedFree
Typo3ScanEnumerate Typo3 version and extensionsFree
UniscanRFI, LFi and RCE scannerFree
V3n0MWeb dork and vulnerability scannerFree
vafWeb directory and file scanner (wordlist bruteforce); but also a web fuzzerFree
VegaMulti-platform web scanner and intercepting proxyFree
VOOKIWindows only web application and REST API vulnerability scannerFree
w3afWeb application attack and audit framework, web-oriented security scannerFree
WAFNinjaWAF bypassing toolFree
wapitiWeb-oriented vulnerability scanner, can generates reportsFree
WappaGoWeb technologies detection; assemble different features from HTTPX, Naabu, GoWitness and WappalyzerFree
WAScanWeb application security scannerFree
webanalyzePort of Wappalyzer (uncovers technologies used on websites) to automate mass scanningFree
Webhook TesterHTTP request collector and inspectorFree
WeevelyWeb shell for post-exploitation working with a PHP agentFree
WfuzzWeb directory and file scanner (wordlist bruteforce); but also a web fuzzerFree
What CMSService able to detect more than 430 CMS, find version used for some CMS, has an API for batch detectionFree
WhatWebWeb scanner, recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices, also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more; more than 1800 pluginsFree
wiktoNikto for Windows; web security scannerFree
WitnessMeTake screenshots of websites, provide some server header info, and identify default credentials if possibleFree
WPScanWordPress CMS vulnerability scannerFree
wrapwrapGenerates a php://filter chain that adds a prefix and a suffix to the contents of a fileFree
WS-AttackerModular framework for SOAP web services penetration testingFree
WSFuzzerFuzzing penetration testing tool for testing HTTP SOAP based web servicesFree
wsreplInteractive websocket REPL designed specifically for penetration testingFree