Penetration testing commands for Web Application Exploitation
Web application exploitation deals with discovering and taking advantage of vulnerabilities within web applications, covering areas such as SQL injection, cross-site scripting (XSS), and authentication bypass.
Name | Description | Price |
---|---|---|
0d1n | Automate customized attacks against web applications | Free |
1u.ms | zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities | Free |
230-OOB | FTP server for OOB XXE attacks | Free |
Acunetix | Web application security scanner | Paid |
Afuzz | Web directory and file scanner (wordlist bruteforce) | Free |
altair | Modular web vulnerability scanner | Free |
API-fuzzer | Library to fuzz request attributes using common pentesting techniques and lists vulnerabilities | Free |
Aquatone | Domain flyover tool; visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface | Free |
Arachni | Web application security scanner framework | Free |
Arjun | HTTP parameter discovery suite | Free |
AssassinGo | Web pentest framework for information gathering and vulnerability scanning | Free |
Astra | REST API penetration testing tool | Free |
Atlas | Tool that suggests sqlmap tampers to bypass WAF/IDS/IPS based on status codes | Free |
b374k | Webshell with many features: file manager, search, command execution, DB connection, SQL explorer, process list | Free |
badsecrets | A library for detecting known or weak cryptographic secrets across many web frameworks | Free |
BaRMIe | Java RMI enumeration and attack tool | Free |
Beeceptor | HTTP request collector and inspector | Paid |
BFAC | Backup File Artifacts Checker; automated backup artifacts checker | Free |
Blazy | Login page bruteforcer: CSRF, SQLi, Clickjacking, WAF detection | Free |
Burp Suite | Intercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists) | Paid |
Caido | Intercepting proxy to replay, inject, scan and fuzz HTTP requests (a limited free version exists) | Paid |
Cansina | Web directory and file scanner (wordlist bruteforce) | Free |
Chankro | Tool to bypass disable_functions and open_basedir in PHP by calling sendmail and setting LD_PRELOAD environment variable | Free |
Charles | Intercepting proxy to replay, inject, scan and fuzz HTTP requests | Paid |
ChopChop | Web application security scanner based on templates | Free |
clairvoyance | Obtain GraphQL API schema even if the introspection is disabled by abusing the "did you mean" feature | Free |
CloudFrunt | Scanner to identify misconfigured CloudFront domains | Free |
CMSeek | CMS detection and exploitation suite; capable of detecting more than 180 CMS | Free |
CMSmap | WordPress, Joomla, Drupal, Moodle CMS security scanner | Free |
CMSScan | Wordpress, Drupal, Joomla, vBulletin CMS security scanner with dashboard | Free |
commix | Web-based command injection tester | Free |
CrackQL | GraphQL password brute-force and fuzzing utility | Free |
CSP Evaluator | Check Content Security Policy (CSP) configuration and assists with the reviewing process | Free |
CSPass | Test for CSP bypass payloads | Free |
CSWSH | Cross-Site WebSocket Hijacking Tester | Free |
Dalfox | XSS scanner and utility focused on automation | Free |
dirb | Web directory and file scanner (wordlist bruteforce) | Free |
dirbuster | Web directory and file scanner (wordlist bruteforce) | Free |
dirsearch | Web directory and file scanner (wordlist bruteforce) | Free |
distributed-jwt-cracker | HS256 JWT token distributed brute force cracker | Free |
docem | Uility to embed XXE and XSS payloads in docx, odt, pptx, etc | Free |
DotDotPwn | Directory Traversal fuzzer | Free |
DotGit | Web browser extension (Firefox and CHromium) checking if .git is exposed in visited websites | Free |
droopescan | CMS scanner supporting SilverStripe and Wordpress, having partial support for Joomla, Moodle, Drupal | Free |
drupwn | Drupal CMS enumeration and exploitation tool | Free |
dtd-finder | Identify DTDs on filesystem snapshot and build XXE payloads using those local DTDs | Free |
DVCS-Pillage | Dump web accessible (distributed) version control systems (DVCS/VCS): GIT, Mercurial/hg, Bazaar/bzr, … | Free |
dvcs-ripper | Dump web accessible (distributed) version control systems (DVCS/VCS): SVN, GIT, Mercurial/hg, Bazaar/bzr, … | Free |
Enemies Of Symfony | Loots information from a Symfony target using profiler | Free |
Eyeballer | Convolutional neural network for analyzing pentest screenshots and automatically label them | Free |
EyeWitness | Take screenshots of websites, provide some server header info, and identify default credentials if possible | Free |
Fav-up | Favicon fingerprinting using Shodan | Free |
FavFreak | Favicon fingerprinting | Free |
Favinizer | Favicon fingerprinting | Free |
feroxbuster | Web directory and file scanner (wordlist bruteforce) | Free |
ffuf | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
Fingerprinter | CMS version detection tool | Free |
Firefly | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
Flask Session Cookie Decoder/Encoder | A script that let you encode and decode a Flask session cookie | Free |
FockCache | Test Cache Poisoning | Free |
Fuxi | Penetration testing platform, automate some scan & attack | Free |
fuxploider | Automates the process of detecting and exploiting file upload forms flaws | Free |
Fuzzapi | Web-UI for API-fuzzer | Free |
Ghauri | Automatic SQL injection and database takeover; inspired by SQLmap | Free |
git-dump | Dump the contents of a remote git repository without directory listing enabled | Free |
git-dumper | Dump the contents of a remote git repository without directory listing enabled | Free |
GitTools | 3 tools: Finder (find websites with .git repository exposed), Dumper (dump exposed .git), Extractor (extract commits and their content from a broken repository) | Free |
Gobuster | Web directory, file and DNS scanner (wordlist bruteforce) | Free |
gofingerprint | Indentify web servers by checking their HTTP responses against a user defined list of fingerprints | Free |
goop | Dump the contents of a remote git repository without directory listing enabled; focus on as-complete-as-possible dumps and handling as many edge-cases as possible | Free |
Gopherus | Generates gopher link for exploiting SSRF and gaining RCE access from unprotected services | Free |
gowitness | Take screenshots of websites | Free |
GraphCrawler | GraphQL automated security testing | Free |
Graphicator | GraphQL enumeration and extraction | Free |
Graphinder | GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce | Free |
GraphMan | Scaffold a postman collection for a GraphQL API; compatible with Postman and Insomnia | Free |
GraphQL Cop | Run common security tests against GraphQL | Free |
GraphQL Voyager | Represent any GraphQL API as an interactive graph | Free |
graphql-path-enum | Lists the different ways of reaching a given type in a GraphQL schema | Free |
graphql.security | Runs a dozen of security checks against a given GraphQL endpoint | Free |
GraphQLmap | Scripting engine to interact with a graphql endpoint for pentesting purposes | Free |
graphw00f | GraphQL server engine fingerprinting | Free |
Guppy Proxy | GUI HTTP intercepting proxy based on Pappy Proxy | Free |
headerpwn | Fuzzer for analyzing how servers respond to different HTTP headers | Free |
Hetty | HTTP toolkit for security research; alternative to BurpSuite | Free |
Hookbin | HTTP request collector and inspector | Free |
http-garden | Differential testing and fuzzing of HTTP servers and proxies | Free |
httpscreenshot | Take screenshots of websites | Free |
httpx | Multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads | Free |
HUNT | HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions | Free |
InQL | GraphQL security audit | Free |
Interactsh | HTTP request collector and inspector; OOB interaction gathering server and client library; DNS / HTTP / SMTP interaction support | Free |
Intrigue Core | Framework for discovering attack surface | Free |
IronWASP | Web security/vulnerability scanner (native for Windows only) | Free |
Jaeles | Framework for building your own Web Application Scanner | Free |
JAST | Take screenshots of websites | Free |
JSONBee | JSONP endpoints/payloads to help bypass content security policy of different websites | Free |
JWT cracker | Multi-threaded JWT brute-force cracker | Free |
jwt_tool | A toolkit for validating, forging and cracking JWT tokens | Free |
jwt-cracker | HS256 JWT token brute force cracker | Free |
jwt-hack | A toolkit for JWT tokens security testing | Free |
jwtcat | JWT brute-force cracker | Free |
Kadimus | LFI, RFI, RCE scanner | Free |
Katana | Crawling and spidering framework, supporting headless mode, JavaScript, customizable automatic form filling and scope control | Free |
Kraken | Modular multi-language webshell focused on web post-exploitation and defense evasion; supports PHP, JSP and ASPX | Free |
LFI Freak | LFI scan and exploit tool | Free |
LFI Suite | Automatic LFI scanner and exploiter | Free |
Liffy | LFI exploitation tool | Free |
LightBulb | Framework for auditing web application firewalls and filters | Free |
LinkFinder | Find URL endpoints and their parameters in JavaScript files | Free |
Lulzbuster | Web directory and file scanner (wordlist bruteforce) | Free |
Malzilla | Web oriented deobfuscating tool | Free |
mitmproxy | Interactive HTTPS proxy | Free |
Mockbin | HTTP request collector and inspector | Free |
monsoon | Web directory and file scanner (wordlist bruteforce) | Free |
MyJWT | A toolkit for signing, forging and cracking JWT tokens | Free |
Netsparker | Web application security scanner | Paid |
nikto | Very light web security scanner | Free |
Nosql-Exploitation-Framework | NoSQL scanning and exploitation framework | Free |
NoSQLMap | Automated NoSQL database enumeration and web application exploitation tool | Free |
NtHiM | Now, the Host is Mine!; sub-domain takeover detection | Free |
Nuclei | Web application security scanner based on templates | Free |
otori | On The Outside, Reaching In, exploitation toolbox for XXE attacks | Free |
OWASP JoomScan | Joomla vulnerability scanner | Free |
OWASP ZAP | OWASP Zed Attack Proxy, intercepting proxy to replay, inject, scan and fuzz HTTP requests | Free |
oxml_xxe | Tool for embedding XXE/XML exploits into different filetypes (docx/xlsx, odt/ods, svg, xml, etc.) | Free |
Panoptic | Automatic LFI and Path Traversal exploitation tool | Free |
Pappy Proxy | Proxy Attack Proxy ProxY, HTTP intercepting proxy | Free |
parameth | HTTP parameter discovery suite | Free |
ParamSpider | Finds parameters from web archives of the entered domain | Free |
Paros | Intercepting proxy to replay, inject, scan and fuzz HTTP requests | Free |
PeepingTom | Take screenshots of websites | Free |
PHPGGC | PHP Generic Gadget Chains, library of unserialize() payloads along with a tool to generate them, supporting various PHP frameworks | Free |
Pinkerton | Crawl JavaScript file to find secret | Free |
Portswigger Labs Inspector | Javascript expression evaluator and inspector | Free |
PowerUpSQL | Toolkit for attacking MS SQL Server, discovery, configuration auditing, privilege escalation, post exploitation | Free |
ppfuzz | Scan for client-side prototype pollution | Free |
pphack | Client-side prototype pollution scanner | Free |
Rabid | CLI tool and library allowing to simply decode all kind of BigIP cookies | Free |
Request Inspector | HTTP request collector and inspector | Free |
RequestBin | HTTP request collector and inspector | Free |
RequestCatcher | HTTP request collector and inspector | Free |
Retire.js | Scanner detecting the use of JavaScript libraries with known vulnerabilities | Free |
Rogue JNDI | A malicious LDAP server for JNDI injection attacks | Free |
ronin-vulns | Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects | Free |
rustbuster | Web directory, file and DNS scanner (wordlist bruteforce); but also a web fuzzer | Free |
Scout | Web directory and file scanner (wordlist bruteforce) | Free |
secureCodeBox | Continuous security scans based on kubernetes; orchestrate and automate a bunch of security-testing tools | Free |
See-SURF | SSRF scanner to find entry points | Free |
Session Hijacking Visual Exploitation | Hijack user sessions by injecting malicious JavaScript code | Free |
ShapeShifter | GraphQL schema extraction to JSON file with introspection | Free |
Simple Local File Inclusion Exploiter | LFI exploit tool | Free |
Sitadel | Web application security scanner, rewrite and newer version of WAScan | Free |
sj | Swagger Jacker; audit API endpoints defined in exposed (Swagger/OpenAPI) definition files | Free |
SleuthQL | Tool that parses Burp history to discover potential SQL injection points and prepare SQLmap request files | Free |
Smuggler | HTTP request smuggling, desync testing | Free |
snallygaster | Web scanner that looks for files accessible on web servers that shouldn't be public | Free |
spidr | Web spidering library that can spider a site, multiple domains, certain links or infinitely | Free |
SqliSniper | Time-based blind SQL injection fuzzer for HTTP headers | Free |
SQLiv | SQL injection scanner, find vulnerable entry points | Free |
sqlmap | Automatic SQL injection and database takeover | Free |
ssllabs-scan | CLI reference-implementation client for Qualys SSL Labs APIs, designed for automated and/or bulk testing | Free |
sslscan2 | Tests SSL/TLS enabled services to discover supported cipher suites | Free |
SSLyze | SSL analysis library and a CLI tools | Free |
SSRF Proxy | Facilitates tunneling HTTP communications through servers vulnerable to SSRF | Free |
SSRF Sheriff | Genereate custom endpoint to test SSRF; support any HTTP method, content-specific responses, configurable secret token | Free |
SSRFmap | Automatic SSRF fuzzer and exploitation tool | Free |
STEWS | Security Testing and Enumeration of WebSockets; tool suite for security testing WebSockets: discover endpoints, fingerprint server, detect vulnerabilities | Free |
Surf | Escalate SSRF vulnerabilities on modern cloud environments, enumerate reachable hosts | Free |
testssl.sh | TLS/SSL scanner to find weak ciphers, protocols or flaws | Free |
TIDoS Framework | Comprehensive web-app audit framework | Free |
TLS map | CLI & library for mapping TLS cipher algorithm names: IANA, OpenSSL, GnUTLS, NSS | Free |
toxssin | XSS exploitation command-line interface and payload generator | Free |
tplmap | SSTI and code injection detection and exploitation tool | Free |
Tracy | Tool that help to manually find XSS | Free |
TrashCompactor | Remove URLs with duplicate funcionality based on script resources included | Free |
Typo3Scan | Enumerate Typo3 version and extensions | Free |
Uniscan | RFI, LFi and RCE scanner | Free |
V3n0M | Web dork and vulnerability scanner | Free |
vaf | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
Vega | Multi-platform web scanner and intercepting proxy | Free |
VOOKI | Windows only web application and REST API vulnerability scanner | Free |
w3af | Web application attack and audit framework, web-oriented security scanner | Free |
WAFNinja | WAF bypassing tool | Free |
wapiti | Web-oriented vulnerability scanner, can generates reports | Free |
WappaGo | Web technologies detection; assemble different features from HTTPX, Naabu, GoWitness and Wappalyzer | Free |
WAScan | Web application security scanner | Free |
webanalyze | Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning | Free |
Webhook Tester | HTTP request collector and inspector | Free |
Weevely | Web shell for post-exploitation working with a PHP agent | Free |
Wfuzz | Web directory and file scanner (wordlist bruteforce); but also a web fuzzer | Free |
What CMS | Service able to detect more than 430 CMS, find version used for some CMS, has an API for batch detection | Free |
WhatWeb | Web scanner, recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices, also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more; more than 1800 plugins | Free |
wikto | Nikto for Windows; web security scanner | Free |
WitnessMe | Take screenshots of websites, provide some server header info, and identify default credentials if possible | Free |
WPScan | WordPress CMS vulnerability scanner | Free |
wrapwrap | Generates a php://filter chain that adds a prefix and a suffix to the contents of a file | Free |
WS-Attacker | Modular framework for SOAP web services penetration testing | Free |
WSFuzzer | Fuzzing penetration testing tool for testing HTTP SOAP based web services | Free |
wsrepl | Interactive websocket REPL designed specifically for penetration testing | Free |