Below are several free and open-source web application vulnerability scanners:
Grabber Grabber is a free and open-source web application scanning tool that can detect many security vulnerabilities in web applications, including cross-site scripting, SQL injection, Ajax testing, file inclusion, JS source code analyzer, and backup file checks, etc. Grabber is suitable for testing small web applications because scanning large applications takes too long. This tool does not provide a GUI interface or generate PDF reports, and is mainly for personal use.
Download link: https://github.com/neuroo/grabber
Vega Vega is a free and open-source web vulnerability scanner and testing platform. With this tool, you can perform security testing on web applications. Vega is written in Java and provides a GUI-based environment, suitable for OS X, Linux, and Windows. It can be used to find SQL injection, header injection, directory listing, shell injection, cross-site scripting, file inclusion, and other web application vulnerabilities.
Download link: https://subgraph.com/vega/
Zed Attack Proxy (ZAP) Zed Attack Proxy is an open-source tool developed by OWASP, suitable for Windows, Unix/Linux, and Macintosh platforms. It can be used to find various vulnerabilities and is very easy to use. Even if you are not familiar with penetration testing, you can easily start learning web application penetration testing with this tool. ZAP includes an intercepting proxy, an automated scanner, a spider, a fuzzer, web socket support, plug-and-play support, authentication support, REST-based API, dynamic SSL certificates, smart cards, and client certificate support, etc.
Download link: https://github.com/zaproxy/zaproxy
Wapiti Wapiti is a good web vulnerability scanner that can be used to audit the security of web applications. It performs black-box testing by scanning web pages and injecting data, attempting to inject payloads and see if the script is easily vulnerable. It supports GET and POST HTTP attacks and can detect file disclosure, file inclusion, cross-site scripting (XSS), command execution detection, CRLF injection, SEL injection, Xpath injection, .htaccess configuration, and backup file disclosure vulnerabilities, etc.
Download link: http://wapiti.sourceforge.net/
W3af W3af is a popular web application attack and audit framework designed to provide a better web application penetration testing platform and developed using Python. With this tool, you can identify over 200 web application vulnerabilities, including SQL injection, cross-site scripting, and many other vulnerabilities.
Download link: http://w3af.org/
WebScarab WebScarab is a Java-based security framework for analyzing web applications that use the HTTP or HTTPS protocol. The functionality of this tool can be extended through available plugins. It is used as an intercepting proxy, so you can view the requests and responses sent by the browser to the server and modify them before they reach the server or browser. This tool is suitable for people who have a good understanding of the HTTP protocol and can write code, but not suitable for beginners.
Download link: https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Skipfish Skipfish is also a good web application security tool. It crawls websites and checks each page for security threats, then generates a final report. The tool is written in C and is highly optimized for handling HTTP, using minimal CPU resources. Skipfish claims to be able to handle 2000 requests per second without adding load to the CPU.
Download link: https://code.google.com/archive/p/skipfish/
Ratproxy Ratproxy is also an open-source web application security auditing tool that can be used to find security vulnerabilities in web applications. It supports Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. This tool aims to address the problems that users typically encounter when using other proxy tools for security auditing. It can distinguish CSS stylesheets and JavaScript code and supports SSL decryption in man-in-the-middle attacks, allowing you to view data transmitted via SSL.
Download link: https://code.google.com/archive/p/ratproxy/
SQLMap is a powerful open-source penetration testing tool that can automatically find and exploit SQL injection vulnerabilities in website databases. It has an advanced detection engine and a range of practical features that allow penetration testers to easily perform SQL injection detection.
Download link: https://github.com/sqlmapproject/sqlmap
Wfuzz is a free and open-source web application penetration testing tool that can be used to force GET and POST parameters to test various injection types such as SQL injection, XSS, LDAP, etc. It also supports cookie fuzzing, multithreading, SOCKS, proxies, authentication, parameter brute-forcing, multiple proxies, etc.
Download link: https://github.com/xmendez/wfuzz
Grendel-Scan is an open-source web application security tool used to automatically find security vulnerabilities in web applications. It provides many features and can also be used for manual penetration testing. This tool is suitable for Windows, Linux, and Macintosh systems and is developed using Java.
Download link: https://sourceforge.net/projects/grendel/
Arachni is an open-source tool developed specifically for penetration testing environments. It can detect various web application security vulnerabilities such as SQL injection, XSS, local file inclusion, remote file inclusion, unvalidated redirects, etc.
Download link: http://www.arachni-scanner.com/