In this article, I have compiled a list of 3 free website vulnerability scanner software. With these software, you can perform a security audit of a website by simply providing their URL. These websites then scan the website for vulnerability by performing several black box tests like SQL injection, analyze the website HTML, and HTTP GET/POST requests to them in order to discover potential threats which can be exploited by any hacker and cause damage to your business. After performing the security scan of a website, you can save the vulnerability report as HTML, JSON, TXT, etc. format. Some of the software also include possible solutions for the detected threats. This might help you fix most of the vulnerabilities and make your website more secure than before. In case you are a Chrome user, then you should definitely take a look at these free vulnerabilities extensions which can also find potential threats on your website.
Wapiti:
Wapiti is the first free website vulnerability scanner software on my list. It is basically a command line tool which can scan a specified website URL and generate its vulnerability report in HTML, XML, JSON, etc. formats. In its vulnerability report, as shown in the main screenshot above, you can get to know about the number of vulnerabilities found in various black box tests like cross-site scripting, Htaccess bypass, CRLF injection, SQL injection, etc.
Getting started with Wapiti is pretty easy, download it from the link provided above and then extract the downloaded ZIP file. After that, open Command Prompt in the extracted directory and run this command “wapiti website_url” (e.g. wapiti ilovefreesoftware.com) and hit the enter button. It then performs the black box tests like SQL injection, XXE injection, etc. and generates a vulnerability report in HTML and JSON format. After it completes all the vulnerability scan, the path of the generated vulnerability report is specified in the Command Prompt itself.
Some additional features of Wapiti:
- Generate vulnerability reports of websites.
- Very easy to use.
- It supports HTTPS and HTTP proxies.
- Import website cookies to scan.
- Supports HTML 5, etc.
OWASP ZAP:
OWASP ZAP (Zed Attack Proxy) is another free penetration testing tool to discover website vulnerabilities. It analyzes the source code of a specified website and HTTP GET and POST requests to identify all the minor and major exploits in it. It can identify vulnerabilities against CSRF attacks, cross-domain misconfiguration, cross-domain JavaScript file inclusion, web browser XSS protection not enabled, etc. The best part is that it also gives solutions for these vulnerabilities in its report. You just have to specify a website URL in the Quick Start section and then start the vulnerability scan process. Once it is completed, you can see the different types of vulnerabilities from the “Alerts” section at the bottom panel, as shown in the screenshot below. You can save the website vulnerability report from the “Report” menu at the top.
Some additional features of OWASP ZAP:
- Scans all incoming and outgoing messages sent to the website.
- Can also intercept WebSockets messages to detect a vulnerability.
- Decrypt SSL connections.
- Plugins support to extend functionality.
IronWASP:
IronWASP is another free open source website vulnerability checker software. It comes with a powerful scanning engine that can find more than 25 different vulnerabilities in a website. It also comes bundled with other web security tools like WiHawk, SSL Security Checker, OWASP Skanda, etc. You just need to enter a URL to scan and then it finds the vulnerabilities and the report can be exported as HTML and RTF formats.
Getting started with IronWASP is pretty easy; just download and install it from the link provided above and install it. After that, open it and enter a URL to scan in the “Console” section and then hit the “Start Scan” button. It then starts scanning the website and lists all discovered vulnerabilities in the Project panel at the left. It also categorizes vulnerabilities as per their risk levels i.e. High, Medium, and Low. You can browse these vulnerabilities details from the project panel and its details are shown in the section right next to it, as shown below.
In order to generate the vulnerability report for your website, click on the “Generate Report” menu at the top. This will open a dialog box from which you can select types of vulnerabilities to be exported in the report. By default, all the vulnerabilities are selected, so, for a detailed report, you don’t need to play the options. Simply click on the “Generate Report for the Items selected below” button and then select a file format (HTML or RTF) to save the report anywhere on your PC.
Verdict:
In this article, I introduced you to 3 free vulnerability scanner for websites. These website vulnerability scanner software can help you identify various types of vulnerabilities against different types of attacks like SQL injection, CSRF attacks, etc. I personally liked OWASP ZAP from this list as it also suggests solutions of the discovered vulnerabilities in its report.