How to look for web application vulnerabilities: comparing eight popular scanners

    Web application scanners are a fairly popular category of software today. There are paid scanners, there are free ones. Each of them has its own set of parameters and vulnerabilities that are possible to detect. Some are limited only to those published in the OWASP Top Ten (Open Web Application Security Project), some go much further in their black-box testing.

    In this post we collected eight popular scanners, examined them in more detail and tried them out. Independent points on two platforms (.NET and php) were selected as training targets: and .


    As the name suggests, the OWASP organization that we mentioned in the introduction is responsible for the release of OWASP ZAP . This is a free tool for penetration testing and for finding vulnerabilities in web applications.

    Key features of OWASP ZAP:

    • Man-in-the-middle proxy
    • Traditional and AJAX spiders
    • Automated scanner
    • Passive scanner
    • Forced browsing
    • Fuzzer

    Additional features
    • Dynamic SSL certificates
    • Smartcard and Client Digital Certificates support
    • Web sockets support
    • Support for a wide range of scripting languages
    • Plug-n-hack support
    • Authentication and session support
    • Powerful REST based API
    • Automatic updating option
    • Integrated and growing marketplace of add-ons

    The program interface has been translated into Russian, which will be convenient for some users. The OWASP ZAP workspace is composed of several windows. At the bottom there are tabs with current tasks and the process of their implementation, on the left - a tree of sites, you can additionally display in the right part of the request and response window.

    Using the marketplace, you can slightly expand the functionality of the scanner.

    Each component of the program has many customizable parameters. For example, we can configure incoming vectors for active scanning, generate dynamic SSL certificates, add HTTP session identifiers, etc.

    Let's move on to the tests. When scanning a site , a Blind SQL Injection was found. This is where critical vulnerabilities end.

    OWASP ZAP full results at
    H: Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause
    M: X-Frame-Options Header Not Set
    L: X-Content-Type-Options Header Missing
    L: Web browser xss protection is not enabled

    At we see more interesting results: the Server Side Include (SSI) and Reflected Cross Site Scripting features were found.

    Full OWASP ZAP results at
    H: Server Side Include
    H: Reflected Cross Site Scripting
    M: X-Frame-Options Header Not Set
    M: Application Error Disclosure
    M: Directory Browsing
    M: Secure Pages Include Mixed Content (Including Scripts)
    L: X-Content-Type-Options Header Missing
    L: Web browser xss protection is not enabled
    L: Cross-Domain JavaScript Source File Inclusion
    L: Incomplete or No Cache-control and Pragma HTTP Header Set
    L: Cookie No Http Only Flag
    L: Cookie Without Secure Flag
    L: Content-Type Header Missing
    L: Private IP Disclosure
    I: Image Exposes Location or Privacy Data

    All scan results can be exported to a report (* .pdf, * .html, * .xml, * .json are supported). The report describes in detail vulnerabilities, vectors found, as well as methods for "closing" vulnerabilities.

    In general, we liked working with OWASP ZAP. There are all the necessary tools for the Pentest web application, a simple and intuitive interface, quick one-click scanning. And at the same time, flexible, deep settings for a more detailed scan, which can serve as a starting point for further manual search for vulnerabilities. Below we will also talk about the Burp Suite Pro scanner, which has a lot in common with OWASP ZAP. By the number and quality of vulnerabilities found, the first scanner we examined showed a very good result. Recommended for use in work.


    W9scan is a free console vulnerability scanner for the site with more than 1200 built-in plug-ins that can detect fingerprints of web pages, ports, analyze the structure of the website, find various popular vulnerabilities, scan for SQL Injection, XSS, etc.

    A more complete list of W9scan features
    - fingerprint detection

    • Can identify common website CMS fingerprints (300+)
    • Recognizable common website frame
    • Identify common port service fingerprints
    • Detect website scripting language
    • Detect operating system type
    • Detection Website Firewall (WAF)

    - Attack parameter

    • SQL injection (based on crawlers)
    • XSS injection (based on reptiles)
    • A large number of Fuzz parameter scans
    • CVE vulnerability
    • struts Vulnerability collection (including automatic detection)
    • Shellshock cgi test
    • heartbeat bleeding heart
    • IIS parsing vulnerability
    • IIS Put vulnerability

    - Violent cracking

    • Backup files and directories (based on crawlers)
    • Backup files and directories (based on domain name)
    • Common directory
    • Common file
    • Subdomain violence analysis
    • fckeditorPath enumeration
    • Common mdbdatabase enumeration
    • git svn leak identification
    • TOMCAT web.xml Give way

    - Collect message

    • Emails (based on reptiles)
    • Private IP (based on reptiles)
    • Email (based on reptiles)
    • Detecting Warnings, Fatal Error, ...
    • PHP version identification
    • IIS information disclosure
    • IP address attribution
    • Integrated Wappalyzer recognition script
    • robots.txt Analysis
    • Detecting unsafe headers in headers
    • Detecting unsafe factors in cookies

    W9scan automatically generates reports of scan results in HTML format. To start a scan, you only need to specify the site URL and plugins that will be used. You can select everything at once by adding “all”.

    When scanning, W9scan found svn and possible payload download paths. From the less critical one, I determined the versions of the services used, possible vectors for conducting XXE, XXS attacks, found the server configuration files and searched for subdomains. Nothing critical was found

    on . But the scanner identified possible attack vectors, defined service versions, directories and subdomains.

    Based on the scan results, W9scan automatically generates an HTML report file.

    W9scan scanner is suitable for quick launch in a single command and we recommend using it as an auxiliary tool for determining service versions, as well as potential attack vectors.


    Another good console scanner . Just like W9scan, it is ready to start in one command, while it has more different scan settings.

    Wapiti searches for the following vulnerabilities:

    • File disclosure (Local and remote include / require, fopen, readfile ...)
    • Database Injection (PHP / JSP / ASP SQL Injections and XPath Injections)
    • XSS (Cross Site Scripting) injection (reflected and permanent)
    • Command Execution detection (eval (), system (), passtru () ...)
    • CRLF Injection (HTTP Response Splitting, session fixation ...)
    • XXE (XML External Entity) injection
    • SSRF (Server Side Request Forgery)
    • Use of know potentially dangerous files
    • Weak .htaccess configurations that can be bypassed
    • Presence of backup files giving sensitive information
    • Shellshock

    In addition to all the above, there is support for proxies (HTTP, HTTPs and SOCKS5), various authentication methods (Basic, Digest, Kerberos, NTLM), support for SSL certificates, the ability to add various HTTP headers or user-agent settings.

    When scanning the site , the vulnerabilities Blind SQL Injection, Cross Site Scripting, Commands execution were found. On, Wapiti, in comparison with other scanners, shows not such outstanding results: only Cross Site Scripting was detected.

    Based on the results of the scanner, an HTML report is also generated that contains the categories and the number of vulnerabilities found, their description, queries, commands for curl and tips on how to close the security holes found.

    As expected, Wapiti does not reach the level of OWASP ZAP. Nevertheless, it worked better than W9scan , although it did not search directories, subdomains and determine the version of services.


    A powerful free processor for testing web application security and vulnerability search. It has a graphical interface and huge functionality, which can be found in more detail on the official website .

    Active testing:

    • SQL injection - Error based detection
    • Blind SQL injection using differential analysis
    • Blind SQL injection using timing attacks
    • NoSQL injection - Error based vulnerability detection
    • Blind NoSQL injection using differential analysis

    Full feature list for active testing
    • CSRF detection
    • Code injection
    • Blind code injection using timing attacks
    • LDAP injection
    • Path traversal
    • File inclusion
    • Response splitting
    • OS command injection
    • Blind OS command injection using timing attacks
    • Remote file inclusion
    • Unvalidated redirects
    • Unvalidated DOM redirects
    • XPath injection
    • Xss
    • Path xss
    • XSS in event attributes of HTML elements
    • XSS in HTML tags
    • XSS in script context
    • DOM XSS
    • DOM XSS script context
    • Source code disclosure
    • XML External Entity

    Passive testing:

    • Allowed HTTP methods
    • Backup files
    • Backup directories
    • Common administration interfaces
    • Common directories
    • Common files

    Complete list of passive testing features
    • HTTP PUT
    • Insufficient Transport Layer Protection for password forms
    • WebDAV detection (webdav).
    • HTTP TRACE detection
    • Credit card number disclosure
    • CVS / SVN user disclosure
    • Private IP address disclosure
    • Common backdoors
    • .htaccess LIMIT misconfiguration
    • Interesting responses
    • HTML object grepper
    • Email address disclosure
    • US Social Security Number disclosure
    • Forceful directory listing
    • Mixed resource / scripting
    • Insecure cookies
    • HttpOnly cookies
    • Auto-complete for password form fields.
    • Origin Spoof Access Restriction Bypass
    • Form-based upload
    • localstart.asp
    • Cookie set for parent domain
    • Missing Strict-Transport-Security headers for HTTPS sites
    • Missing x-frame-options headers
    • Insecure CORS policy
    • Insecure cross-domain policy
    • Insecure cross-domain policy
    • Insecure client-access policy

    Impressive, isn't it? But that is not all. A bunch of plug-ins are also wrapped in the web, for example Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, etc. The

    scanner has a nice and concise web interface:

    And this is what Arachni found on our test sites. :

    • Cross-Site Scripting (XSS) in script context
    • Blind SQL Injection (differential analysis)
    • Code injection
    • Code injection (timing attack)
    • Operating system command injection (timing attack)
    • Operating system command injection

    Other vulnerabilities on
    H: File Inclusion
    H: Cross-Site Scripting (XSS) in HTML tag
    H: Cross-Site Scripting (XSS)
    H: Path Traversal
    M: Backup file
    M: Common directory
    L: Missing 'X-Frame-Options 'header
    L: Password field with auto-complete
    L: Insecure client-access policy
    L: Insecure cross-domain policy (allow-access-from)
    L: Common sensitive file

    On , only the possibility of cross-site request forgery (CSRF) was discovered from the critical one.

    Arachni full results at
    H: Cross-Site Request Forgery
    M: Mixed Resource
    M: Common directory
    M: Missing 'Strict-Transport-Security' header
    L: Private IP address disclosure

    Separately, we note what nice reports Arachni gives us. Many formats are supported - HTML, XML, text, JSON, Marshal, YAML, AFR.

    In general, Arachni leaves only positive impressions after work. Our opinion: this is a “must have” in the arsenal of any self-respecting specialist .


    Another GUI web vulnerability scanner . By default, it is included in the Kali Linux distribution and is installed there locally. It has a built-in proxy through which sites for analysis are added, a built-in web spider that can analyze the site and build a query map.

    To scan a user's personal account, it is necessary to log in to the browser with the traffic redirection enabled through the Paros proxy. The scanner will use authorized cookies during the scanning process. The activity report can be exported to HTML. It is saved in the root / paros / session / LatestScannedReport.htm file and is subsequently overwritten. If you want to save the result of the previous scan, then before starting the next scan you need to create a copy of the existing file.

    Key features (with an eye on OWASP TOP 10 2017):

    • A1: Injection - SQLinjection, SQLinjection Fingerprint (places where SQLinj could potentially be)
    • A6: Security Misconfiguration - Directory browsing, ISS default file, Tomcat source file disclosure, IBM WebSphere default files and some other standard or obsolete files (Obsolete file) containing source code and more.
    • A7: XSS

    Additional features:

    • Search for enabled autocomplete for password forms. Moreover, if the input field has an attribute type = "password", a false positive is obtained.
    • CRLF injection
    • Secure page browser cache (caching pages in a browser with important information)
    • Ability to scan a protected area of ​​a user (personal account)
    • Ability to scan web applications on a local network

    In the final report for each type of vulnerability there is more detailed information and some recommendations on how to fix it.

    In our testing, Paros showed rather weak results. The following were found on :

    H: SQL injection
    M: XSS
    M: Deprecated source files
    M: Using autocomplete in forms with important information (passwords, etc.).
    L: Disclosure of internal IPs
    At and even less:
    M: Directory browsing
    M: Using autocomplete in forms with important information (passwords, etc.).

    As a result, although the Paros scanner is simple and quite convenient to use, poor scan resultsforced to abandon its use .

    Paid multifunctional cloud scanner that can detect a large number of web vulnerabilities and almost completely covers OWASP TOP 10 2017. The

    service has a built-in web spider. If you specify authorization data (authorization request, login and password, authorized cookies) in the scan settings, the scanner will also check your personal account (zone of the authorized user).

    In addition to scanning web applications, can scan the network - both for known vulnerabilities and for searching hosts. It is possible to connect agents to scan the internal network. It is possible to export the report in various formats: * .nessus, * .csv, * .db, * .pdf.

    In the screenshot, all domains are “test”

    Additional scan profiles. This article is not affected

    After scanning, statistics and prioritization of the vulnerabilities found become critical - critical, high, middle, low, information

    The vulnerability card provides additional information about it and some recommendations for resolving it.

    Scan . Vulnerabilities with high:

    H priority : Vulnerabilities in components
    - out-of- date version of PHP
    - out-of- date version of Apache
    H: Code injection
    H: SQLinj
    H: XSS
    H: LFI
    H: Path Traversal

    Middle and low vulnerabilities
    M: Disclosure of valuable data - the full path, backups
    M: Disclosure of internal IP
    M: Cookie without HTTPOnly flag
    M: Password sending via HTTP
    L: Autocomplete in forms with important information
    L: Server response to TRACE requests
    L: Headers are not installed Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection

    Now . High:

    H: Vulnerabilities in Components

    • out of support version of PHP
    • Apache vulnerabilities
    • Bootstrap vulnerabilities
    • jQuery vulnerabilities

    Middle and low vulnerabilities
    M: Web server phpinfo()
    M: Совместное использование HTTP и HTTPS
    M: Отсутствие перенаправления с HTTP на HTTPS
    M: Directory browsing
    M: Найдены backup файлы
    M: Использование небезопасной версии протокола SSL
    M: Истечение срока сертификата SSL/TLS
    L: Раскрытие внутренних IP
    L: Cookie без флага HTTPOnly
    L: Ответ сервера на TRACE запросы
    L: Не установлены header`ы Strict-Transport-Security, Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection

    The scanner performed well, found many vulnerabilities . Working with it is simplified by a convenient graphical interface and data presentation. Another plus is the presence of additional scan profiles, into which we have decided so far not to bury. An important feature is the cloud service structure. On the one hand, the service does not use local computing resources of a working computer. On the other hand, it will not be able to scan web applications on the local network.

    Burp suite pro

    Burp Suite is a complete web application review solution . It includes a variety of utilities to improve and speed up the search for vulnerabilities in web applications.

    Burp Suite has the following utilities:

    • Proxy — прокси-сервер, который перехватывает трафик, проходящий по протоколу HTTP(S), в режиме man-in-the-middle. Находясь между браузером и целевым веб-приложением, эта утилита позволяет перехватывать, изучать и изменять трафик, идущий в обоих направлениях.
    • Spider — веб-паук, который в автоматическом режиме собирает информацию о содержимом и функционале приложения (веб-ресурса).
    • Scanner (только в Burp Suite Pro) — сканер для автоматического поиска уязвимостей в веб-приложениях.
    • Intruder — гибкая утилита, позволяющая в автоматическом режиме производить атаки различного вида. Например, перебор идентификаторов, сбор важной информации и прочее.
    • Repeater — инструмент для ручного изменения и повторной отсылки отдельных HTTP-запросов, а также для анализа ответов приложения.
    • Sequencer — утилита для анализа случайных данных приложения на возможность предсказания алгоритма их генерации.
    • Decoder — утилита для ручного или автоматического кодирования и декодирования данных приложения.
    • Comparer — инструмент для поиска визуальных различий между двумя вариациями данных.
    • Extender — инструмент для добавления расширений в Burp Suite

    The Scanner utility is presented in the eponymous tab of the main window of the Burp Suite program. The interface is English-speaking, but who can this scare off now?

    The Issue Definition tab provides a complete list of all vulnerabilities that this scanner can identify. It should be noted that the list is very impressive.

    All vulnerabilities are divided into 3 categories: high, medium, low. There is also a category of information, which includes mechanisms for collecting various useful information about the scanned resource.
    When starting a scan in the Scan queue window, we can observe the progress in stages. "Color differentiation of pants" is present.

    On the Options tab, the basic scan settings are configured.

    For convenience, the options are divided into categories. If necessary, you can get help for each category directly from the settings window.

    In general, Burp Suite Pro showed a good result. When scanning , enough vulnerabilities were found and classified to gain full control over the web application and its data - these are OS command injection, SSTI, and File path traversal.

    Burp Suite Pro full results at
    H: OS command injection
    H: File path traversal
    H: Out-of-band resource load (HTTP)
    H: Server-side template injection
    H: Cross-site scripting (reflected)
    H: Flash cross-domain policy
    H: Silverlight cross-domain policy
    H: Cleartext submission of password
    H: External service interaction (DNS)
    H: External service interaction (HTTP)
    M: SSL certificate (not trusted or expired)
    L: Password field with autocomplete enabled
    L: Form action hijacking (reflected)
    L: Unencrypted communications
    L: Strict transport security not enforced

    The following were found on :
    H: Cross-site scripting (reflected)
    M: SSL cookie without secure flag set
    M: SSL certificate (not trusted or expired)
    L: Cookie without HttpOnly flag set
    L: Password field with autocomplete enabled
    L: Strict transport security not enforced

    If you often use Burp Suite for the web pentest , you like its ecosystem, but would like to somehow automate the process of searching for vulnerabilities, then this utility will fit perfectly into your arsenal .


    In conclusion - another very good commercial scanner . It is very actively promoted through advertising, but Acutenix would not have been successful without its extensive functionality. Among the vulnerabilities available to him for detection are all types of SQL injection, Cross site scripting, CRLF injection and other pleasures of the pentester of web applications. It is worth noting that for high-quality scanning, you need to select the correct profile.

    The dashboard interface is nice:

    All identified vulnerabilities are traditionally divided into four categories: High, Medium, Low. Well, and where without the Information category, which includes all the interesting, according to the scanner, data.

    On the Scans tab, we can observe the progress of scanning and other diagnostic information.

    After the scan is completed, on the Vulnerabilities tab, we can get acquainted with what and in what quantity was found. Color differentiation in place.

    In the test on the scanner showed a good result, but with frankly let us down .

    Full Acunetix Results
    H: Apache 2.2.14 mod_isapi Dangling Pointer
    H: Blind SQL Injection
    H: Cross site scripting
    H: Cross site scripting (verified)
    H: Directory traversal
    H: File inclusion
    H: PHP code injection
    H: Server-side template injection
    H: SVN repository found
    H: User controllable script source
    M: Access database found
    M: Apache 2.x version older than 2.2.9
    M: Apache httpd remote denial of service
    M: Apache httpOnly cookie disclosure
    M: Application error message
    M: Backup files
    M: Directory listing
    M: HTML form without CSRF protection
    M: Insecure clientaccesspolicy.xml file
    M: Partial user controllable script source
    M: PHP hangs on parsing particular strings as floating point number
    M: PHP preg_replace used on user input
    M: Source code disclosure
    M: User credentials are sent in clear text
    L: Apache 2.x version older than 2.2.10
    L: Apache mod_negotiation filename bruteforcing
    L: Clickjacking: X-Frame-Options header missing
    L: Login page password-guessing attack
    L: Possible relative path overwrite
    L: Possible sensitive directories
    L: Possible sensitive files
    L: TRACE method is enabled
    L: Clickjacking: X-Frame-Options header missing

    Acunetix has great features and is suitable if you are looking for a stand-alone solution . The web interface is simple and clear, infographics and reports look quite digestible. Misfires are possible during scanning, but, as Tony Stark said: “This happens to men. Infrequently. One out of five. "

    General results

    And now conclusions on all tested scanners.

    • OWASP ZAP we liked. Recommended for use.
    • We recommend using W9scan as an auxiliary tool for determining versions and services, as well as potential attack vectors.
    • Wapiti does not reach OWASP ZAP, but we have worked better than W9scan.
    • Arachni is just a must-have.
    • Paros scans poorly, and we do not recommend it.
    • is good, it finds many vulnerabilities. But it is worth considering that it is cloudy.
    • Burp Suite Pro we recommend those who like the Burp Suite ecosystem but lack automation.
    • Acunetix is ​​for those looking for a scanner as a stand-alone application.

    Also popular now: