You are on page 1of 11

Webapp tools https://blackarch.org/webapp.

html

Over 1800 tools

Webapp The list

Home (index.html) / tools (tools.html) / webapp

Packages that primarily attack social networking sites.

Tool count: 145 ()

BlackArch webapp

Name Version Description Homepage


Web security tool to make
0d1n 201.977b1d7 fuzzing at HTTP inputs, (https://github.com/CoolerVoid/0d1n)
made in C with libCurl.

1 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


Simple admin panel finder
(https://github.com/sahakkhotsanyan
adfind 19.8d62713 for php,js,cgi,asp and aspx
/adfind)
admin panels.
This python script looks for
a large amount of possible (http://packetstormsecurity.com/files
adminpagefinder 0.1
administrative interfaces on /112855/Admin-Page-Finder-Script.html)
a given site.
A SQLi exploitation
albatar 24.142f892 (https://github.com/lanjelot/albatar)
framework in Python.
A XSS vulnerability (https://github.com/lewangbtcc
anti-xss 165.6534a4d
scanner. /anti-XSS)
A feature-full, modular,
high-performance Ruby
framework aimed towards
arachni 1.5.1 helping penetration testers (https://www.arachni-scanner.com)
and administrators
evaluate the security of
web applications.
bbqsql 259.4f7c086 SQL injection exploit tool. (https://github.com/neohapsis/bbqsql)
A tiny Batch weB
bbscan 35.995e1ea (https://github.com/lijiejie/bbscan)
vulnerability Scanner.
This is a python script for
searching Bing for sites
(http://packetstormsecurity.com/files
bing-lfi-rfi 0.1 that may have local and
/121590/Bing-LFI-RFI-Scanner.html)
remote file inclusion
vulnerabilities.
Cross-Site Scripting (https://github.com
brutexss 54.ba753df
Bruteforcer. /shawarkhanethicalhacker/BruteXSS)
Blind SQL Injection Brute
bsqlbf 2.7 (http://code.google.com/p/bsqlbf-v2/)
Forcer.
Blind SQL injection
bsqlinjector 8.5dc3f27 exploitation tool written in (https://github.com/enjoiz/BSQLinjector)
ruby.
A python-based Web
cansina 174.850603e (https://github.com/deibit/cansina)
Content Discovery Tool.
Tool that generates a PHP
capable of run a custom
binary (like a meterpreter)
(https://github.com/TarlogicSecurity
chankro 3.c150607 or a bash script (p.e.
/Chankro)
reverse shell) bypassing
disable_functions &
open_basedir).
Drag and Drop
ClickJacking exploit
cjexploiter 6.72b08d8 (https://github.com/enddo/CJExploiter)
development assistance
tool.
Python script to bypass
cloudflare from command (https://github.com/eudemonics
cloudget 53.807d08e
line. Built upon cfscrape /cloudget)
module.

2 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


Joomla, Mambo,
PHP-Nuke, and XOOPS
(http://packetstormsecurity.com/files
cms-few 0.1 CMS SQL injection
/64722/cms_few.py.txt.html)
vulnerability scanning tool
written in Python.
Fuzzer for wordpress, cold
(https://github.com/nahamsec
cmsfuzz 5.6be5a98 fusion, drupal, joomla, and
/CMSFuzz)
phpnuke.
Automated All-in-One OS
(https://github.com/stasinopoulos
commix 852.4dac77e Command Injection and
/commix)
Exploitation Tool.
Web recon tool (find
temporary files, parse
robots.txt, search folders,
crawlic 51.739fe2b (https://github.com/Ganapati/Crawlic)
google dorks and search
domains hosted on same
server).
The OWASP CSRFTester
Project attempts to give
(http://www.owasp.org/index.php
csrftester 1.0 developers the ability to
/Category:OWASP_CSRFTester_Project)
test their applications for
CSRF flaws.
A Python Web path
cybercrowl 87.26bef0f (https://github.com/chamli/CyberCrowl)
scanner tool.
This tool will try to find
every website that host at (http://sourceforge.net/projects
darkjumper 5.8
the same server at your /darkjumper/)
target.
Fingerprints servers, finds
davscan 23.ce342c0 (https://github.com/Graph-X/davscan)
exploits, scans WebDAV.
Tool for finding path of
dff-scanner 1.1 predictable resource (http://netsec.rs/70/tools.html)
locations.
C CLI implementation of (https://github.com/digination
dirbuster-ng 9.0c34920
the Java dirbuster tool. /dirbuster-ng)
HTTP(S) directory/file brute (https://github.com/maurosoria
dirsearch 204.fb88b47
forcer. /dirsearch)
A tool used for
(https://github.com/coldfusion39/domi-
domi-owned 41.583d0a5 compromising IBM/Lotus
owned)
Domino servers.
Passive Vulnerability
doork 6.90c7260 (https://github.com/AeonDave/doork)
Auditor.
drupal- Enumerate on drupal (https://github.com/Tethik/drupal-
7.58a8e69
module-enum modules. module-enumeration)
Simple non-intrusive (https://rubygems.org
drupalscan 0.5.2
Drupal scanner. /gems/DrupalScan/)
A fully functional File
inclusion vulnerability
scanner (supporting GET
dsfs 32.e27d6cb (https://github.com/stamparm/DSFS)
and POST parameters)
written in under 100 lines
of code.

3 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A fully functional
JavaScript library
dsjs 21.79cb2c4 vulnerability scanner (https://github.com/stamparm/DSJS)
written in under 100 lines
of code.
A fully functional SQL
injection vulnerability
scanner (supporting GET
dsss 116.6d14edb (https://github.com/stamparm/DSSS)
and POST parameters)
written in under 100 lines
of code.
A fully functional Cross-site
scripting vulnerability
scanner (supporting GET
dsxs 117.7fd87d0 (https://github.com/stamparm/DSXS)
and POST parameters)
written in under 100 lines
of code.
Tool which aims to lure
attackers using various
types of web vulnerability
(http://sourceforge.net/projects
epicwebhoneypot 2.0a scanners by tricking them
/epicwebhoneypot/)
into believing that they
have found a vulnerability
on a host.
Designed to take
screenshots of websites,
provide some server (https://github.com/ChrisTruncer
eyewitness 605.537d82a
header info, and identify /EyeWitness)
default credentials if
possible.
(https://github.com/chinoogawa/fbht-
fbht 70.d75ae93 A Facebook Hacking Tool
linux)
This is a framework for
HTTP related attacks. It is
written in Perl with a GTK
interface, has a proxy for (http://packetstormsecurity.com/files
fhttp 1.3
debugging and /104315/FHTTP-Attack-Tool.3.html)
manipulation, proxy
chaining, evasion rules,
and more.
An extremely fast and
filebuster 29.3764608 (https://github.com/henshin/filebuster)
flexible web fuzzer.
Webkit based webclient
ghost-py 0.2.3 (http://jeanphix.github.com/Ghost.py/)
(relies on PyQT).
A repository with 3 tools for
(https://github.com/internetwache
gittools 23.d2455b3 pwn'ing websites with .git
/GitTools)
repositories available'.
Opensource web security
golismero 50.3af264a (https://github.com/golismero/golismero)
testing framework.
A web application scanner.
Basically it detects some
grabber 0.1 (http://rgaucher.info/beta/grabber/)
kind of vulnerabilities in
your website.

4 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A web application analysis
tool for detecting
htcap 45.e54399f (https://github.com/segment-srl/htcap)
communications between
javascript and the server.
A set of shell tools that let
you manipulate, send,
receive, and analyze HTTP
messages. These tools can
be used to test, discover, (http://packetstormsecurity.com/files
httpforge 11.02.01
and assert the security of /98109/HTTPForge.02.01.html)
Web servers, apps, and
sites. An accompanying
Python library is available
for extensions.
"Repeater" style XSS
httppwnly 47.528a664 post-exploitation tool for (https://github.com/Danladi/HttpPwnly)
mass browser control.
Penetration testing tool that
would take as input a list of
domain names, scan them,
determine if wordpress or
joomla platform was used
(https://github.com/stasinopoulos
jaidam 10.a7d7c4a and finally check them
/jaidam)
automatically, for web
vulnerabilities using two
well-known open source
tools, WPScan and
Joomscan.
Jboss verify and
jexboss 86.338b531 (https://github.com/joaomatosf/jexboss)
Exploitation Tool.
This php script fingerprints
a given Joomla system and
(http://packetstormsecurity.com/files
then uses Packet Storm's
jomplug 0.1 /121390/Janissaries-Joomla-Fingerprint-
archive to check for bugs
Tool.html)
related to the installed
components.
A Joomla password brute
jooforce 11.43c21ad (https://github.com/rastating/jooforce)
force tester.
Joomla scanner scans for
known vulnerable remote (http://packetstormsecurity.com/files
joomlascan 1.2
file inclusion paths and /62126/joomlascan.2.py.txt.html)
files.
A black box, Ruby
joomlavs 230.e26b637 powered, Joomla (https://github.com/rastating/joomlavs)
vulnerability scanner.
Detects file inclusion, sql
injection, command
joomscan 2012.03.10 (http://joomscan.sourceforge.net/)
execution vulnerabilities of
a target Joomla! web site.
A Java application for
jsql-injection 0.79 automatic SQL database (https://github.com/ron190/jsql-injection)
injection.
kadimus 50.5897871 LFI Scan & Exploit Tool. (https://github.com/P0cL4bs/Kadimus)

5 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A web application
fingerprinting engine
kolkata 3.0 written in Perl that (http://www.blackhatlibrary.net/Kolkata)
combines cryptography
with IDS evasion.
This perl script leverages
/proc/self/environ to
(http://packetstormsecurity.com/files
lfi-exploiter 1.1 attempt getting code
/124332/LFI-Exploiter.1.html)
execution out of a local file
inclusion vulnerability..
A simple tool to help in the
fuzzing for, finding, and
exploiting of local file (http://packetstormsecurity.com/files
lfi-fuzzploit 1.1
inclusion vulnerabilities in /106912/LFI-Fuzzploit-Tool.1.html)
Linux-based PHP
applications.
A simple script to infect
images with PHP (http://packetstormsecurity.com/files
lfi-image-helper 0.8
Backdoors for local file /129871/LFI-Image-Helper.8.html)
inclusion attacks.
This tool helps you exploit
LFI (Local File Inclusion)
vulnerabilities. Post
discovery, simply pass the (http://packetstormsecurity.com/files
lfi-sploiter 1.0 affected URL and /96056/Simple-Local-File-Inclusion-
vulnerable parameter to Exploiter.0.html)
this tool. You can also use
this tool to scan a URL for
LFI vulnerabilities.
A unique automated LFi
(https://github.com/OsandaMalith
lfifreak 21.0c6adef Exploiter with
/LFiFreak/)
Bind/Reverse Shells.
This script is used to take
the highest beneficts of the
lfimap 1.4.8 local file include (https://code.google.com/p/lfimap/)
vulnerability in a
webserver.
A Local File Inclusion
liffy 65.8011cdd (https://github.com/rotlogix/liffy)
Exploitation tool.
Python framework for
(https://github.com/lightbulb-framework
lightbulb 27.a77c818 auditing web applications
/lightbulb-framework)
firewalls.
Scan a Magento site for (https://github.com/steverobbins
magescan 1.12.5
information. /magescan)
Web Command Injection
mando.me 9.8b34f1a (https://github.com/z0noxz/mando.me)
Tool.
Tool for scanning the HTTP
methods supported by a
webserver. It works by
metoscan 05 (http://www.open-labs.org/)
testing a URL and
checking the responses for
the different requests.

6 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


Path Traversal checking
morxtraversal 1.0 (http://www.morxploit.com/tools/)
tool.
Automatic SQL injection
utility using a lsit of URI
multiinjector 0.4 (http://chaptersinwebsecurity.blogspot.de
addresses to test
/2008/11/multiinjector-v03-released.html)
parameter manipulation.
Automated Mongo
(https://github.com/tcstool
nosqlmap 194.da333c3 database and NoSQL web
/NoSQLMap.git)
application exploitation tool
A webshell framework for (https://github.com/chrisallenlane
novahot 1.0.1
penetration testers. /novahot)
OWASP Directory Access (https://github.com/stanislav-
opendoor 107.a913a17
scanner. web/OpenDoor)
A web application
(https://github.com/depasonico/OWASP-
owasp-bywaf 26.e730d1b penetration testing
ByWaf)
framework (WAPTF).
The Offensive (Web) (https://www.owasp.org/index.php
owtf 1017.0bbeea1
Testing Framework. /OWASP_OWTF)
An intercepting proxy for
pappy-proxy 66.cd9b3ef (https://github.com/roglew/pappy-proxy)
web application testing.
Java-based HTTP/HTTPS
proxy for assessing web
app vulnerabilities.
Supports editing/viewing
paros 3.2.13 HTTP messages on-the-fly, (http://www.parosproxy.org)
spiders, client certificates,
proxy-chaining, intelligent
scanning for XSS and
SQLi, etc.
Web Payload list editor to
use techniques to try (https://github.com/CoolerVoid
payloadmask 16.ff38964
bypass web application /payloadmask)
firewall.
A tool to take screenshots
(https://bitbucket.org/LaNMaSteR53
peepingtom 56.bc6f4d8 of websites. Much like
/peepingtom)
eyewitness.
A Findsock Shell
(https://github.com/pentestmonkey
php-findsock-shell2.b8a984f implementation in PHP +
/php-findsock-shell)
C.
Stealth post-exploitation
phpsploit 749.f34864d (https://github.com/nil0x42/phpsploit)
framework.
Wordpress finger printer
plecost 88.149fd34 (https://github.com/iniqua/plecost)
Tool.
A security scanner for
plown 13.ccf998c (https://github.com/unweb/plown)
Plone CMS.
THE REAL hacker friendly
proxenet 712.67fc6b5 proxy for web application (https://github.com/hugsy/proxenet)
pentests.
Free web-application
pyfiscan 1920.bd6fd54 vulnerability and version (https://github.com/fgeek/pyfiscan)
scanner.
Web backdoor - infector -
riwifshell 38.40075d5 (https://github.com/graniet/riwifshell)
explorer.

7 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A tool to abuse Exchange
ruler 195.152d9a4 (https://github.com/sensepost/ruler)
services.
The Remote Web
Workplace Attack tool will
perform a dictionary attack
against a live Microsoft
Windows Small Business (http://packetstormsecurity.com/files
rww-attack 0.9.2 Server's 'Remote Web /79021/Remote-Web-Workplace-Attack-
Workplace' portal. It Tool.html)
currently supports both
SBS 2003 and SBS 2008
and includes features to
avoid account lock out.
sawef 28.e65dc9f Send Attack Web Forms. (https://github.com/danilovazb/sawef)
A fast high-level scraping
scrapy 1.4.0 and web crawling (http://scrapy.org)
framework.
Web Apps Scanner and
secscan 1.5 (http://code.google.com/p/secscan-py/)
Much more utilities.
A web fuzzing script written (http://packetstormsecurity.com/files
shortfuzzy 0.1
in perl. /104872/Short-Fuzzy-Rat-Scanner.html)
PHP Command Injection
smplshllctrlr 9.2baf390 (https://github.com/z0noxz/smplshllctrlr)
exploitation tool.
Automatic XSS filter
snuck 6.76196b6 (https://github.com/mauro-g/snuck)
bypass.
Static Php Analysis and
spaf 11.671a976 (https://github.com/Ganapati/spaf)
Fuzzer.
An open source tool written
in python to audit web
sparty 0.1 applications using (http://sparty.secniche.org/)
sharepoint and frontpage
architecture.
Configurable web resource (https://github.com/getdual/scripts-
spiga 460.59d653c
scanner. n-tools/blob/master/spiga.py)
A Proxy for detecting
(http://www.immunitysec.com/resources-
spike-proxy 148 vulnerabilities in web
freesoftware.shtml)
applications
SPIP (CMS) scanner for
spipscan 69.4ad3235 penetration testing purpose (https://github.com/PaulSec/SPIPScan)
written in Python.
sqid 0.3 A SQL injection digger. (http://sqid.rubyforge.org/)
Automatic SQL injection
sqlmap 1.1.6 (http://sqlmap.org)
and database takeover tool
Automatic SQL injection
themole 0.3 (http://sourceforge.net/projects/themole/)
exploitation tool.
Automatic Server-Side
Template Injection
tplmap 650.1a033c3 (https://github.com/epinna/tplmap)
Detection and Exploitation
Tool.
Enumerate Typo3 version (https://github.com/whoot/Typo-
typo-enumerator 77.9565029
and extensions. Enumerator)

8 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A script that automates
detection of security flaws
uppwn 5.b7cdd93 (https://github.com/ferrery1/UpPwn)
on websites' file upload
systems'.
Generate and test domain
typos and variations to
detect and perform typo (http://www.morningstarsecurity.com
urlcrazy 0.5
squatting, URL hijacking, /research/urlcrazy)
phishing, and corporate
espionage.
A python tool to extract
URL addresses from
urldigger 02c different HOT sources (https://code.google.com/p/urldigger/)
and/or detect SPAM and
malicious code
A comprehensive web
penetration testing tool (http://packetstormsecurity.com/files
vanguard 0.1 written in Perl thatidentifies /110603/Vanguard-Pentesting-
vulnerabilities in web Scanner.html)
applications.
A black box vBulletin
vbscan 25.27c77e9 vulnerability scanner (https://github.com/rezasp/vbscan)
written in perl.
An open source platform to
vega 1.0 test the security of web (https://github.com/subgraph/Vega/wiki)
applications.
Black box tool for
(https://github.com/varunjammula
vsvbp 6.241a7ab Vulnerability detection in
/VSVBP)
web applications.
vulnerabilities- A tool to scan for web (https://github.com/muhammad-bouabid
1.426e70f
spider vulnerabilities. /Vulnerabilities-spider)
A tool which contains two
(https://github.com/khalilbijjou
wafninja 18.f9ec0ae functions to attack Web
/WAFNinja)
Application Firewalls.
An easy to use Web
Application Finger Printing (http://packetstormsecurity.com/files
wafp 0.01_26c3 tool written in ruby using /84468/Web-Application-Finger-
sqlite3 databases for Printer.01-26c3.html)
storing the fingerprints.
Analysing parameters with
all payloads' bypass
(https://github.com/wafpassproject
wafpass 44.624ac65 methods, aiming at
/wafpass)
benchmarking security
solutions like WAF.
Download the entire
waybackpack 49.36db906 Wayback Machine archive (https://github.com/jsvine/waybackpack)
for a given URL.
A plugin based scanner for
(http://packetstormsecurity.com/files
web-soul 2 attacking and data mining
/122064/Web-Soul-Scanner.html)
web sites written in Perl.
A handler for PHP system
webhandler 334.bcc9f0d functions & also an (https://github.com/lnxg33k/webhandler)
alternative 'netcat' handler.

9 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


A tool designed for brute
webslayer 5 (https://code.google.com/p/webslayer/)
forcing Web Applications.
An OWASP Top 10
webxploiter 56.c03fe6b (https://github.com/xionsec/WebXploiter)
Security scanner.
Tool to perform user and
(https://github.com/WebBreacher
whatsmyname 203.d4a9651 username enumeration on
/WhatsMyName)
various websites.
Tool tod etect if a given
whichcdn 22.5fc6ddd website is protected by a (https://github.com/Nitr4x/whichCDN)
Content Delivery Network.
WebApp Information
wig 574.d5ddd91 (https://github.com/jekyc/wig)
Gatherer.
A perl script that consists
of a port scanner, LFI
scanner, MD5 bruteforcer, (http://packetstormsecurity.com/files
witchxtool 1.1 dork SQL injection /97465/Witchxtool-Port-LFI-SQL-Scanner-
scanner, fresh proxy And-MD5-Bruteforcing-Tool.1.html)
scanner, and a dork LFI
scanner.
A Ruby framework for
developing and using
wordpress- modules which aid in the (https://github.com/rastating/wordpress-
582.aa5a883
exploit-framework penetration testing of exploit-framework)
WordPress powered
websites and systems.
wpforce 66.609ea93 Wordpress Attack Suite. (https://github.com/n00py/WPForce)
Black box WordPress
wpscan 2.9.2 (http://wpscan.org)
vulnerability scanner
Simple Wordpress Security
wpseku 16.e5dc097 (https://github.com/m4ll0k/WPSeku)
Scanner.
A modular framework for
ws-attacker 1.7 web services penetration (http://ws-attacker.sourceforge.net/)
testing.
Interactive cli tool for HTTP
wuzz 187.b289c84 (https://github.com/asciimoo/wuzz)
inspection.
XSS spider - 66/66 wavsep (https://github.com/DanMcInerney
xsscrapy 138.f859faa
XSS detected. /xsscrapy)
A penetration testing tool
xsser 1.7 for detecting and exploiting (http://xsser.sourceforge.net/)
XSS vulnerabilites.
An automated XSS
(https://github.com
xssless 45.8e7ebe1 payload generator written
/mandatoryprogrammer/xssless)
in python.
Web Application XSS
xsspy 50.9c76ec7 (https://github.com/faizann24/XssPy)
Scanner.
A brute force cross site
xsss 0.40b (http://www.sven.de/xsss/)
scripting scanner.
Command line tool for
detection of XSS attacks in
(https://github.com/gwroblew
xssscan 17.7f1ea90 URLs. Based on
/detectXSSlib)
ModSecurity rules from
OWASP CRS.

10 of 11 6/9/17, 6:54 PM
Webapp tools https://blackarch.org/webapp.html

Name Version Description Homepage


An automatic XSS
xsssniper 0.9 (https://github.com/gbrindisi/xsssniper)
discovery tool
A Cross Site Scripting
(https://github.com/yehia-mamdouh
xssya 13.cd62817 Scanner & Vulnerability
/XSSYA)
Confirmation.
Automatic WAF bypass
xwaf 119.cb7964a (https://github.com/3xp10it/bypass_waf)
tool.
yaaf 7.4d6273a Yet Another Admin Finder. (https://github.com/Plasticoo/YAAF)
A ruby script that scans for
vulnerable & exploitable
yasuo 117.8fd52f2 (https://github.com/0xsauby/yasuo)
3rd-party web applications
on a network.
The YAWAST Antecedent
yawast 416.8ed019e Web Application Security (https://github.com/adamcaudill/yawast)
Toolkit.
A web crawler that is useful
for grabbing all user
supplied input related to a (http://packetstormsecurity.com/files
ycrawler 0.1
given website and will save /98546/yCrawler-Web-Crawling-Utility.html)
the output. It has proxy and
log file support.
A proof-of-concept tool for
generating payloads that
ysoserial 0.0.4 (https://github.com/frohoff/ysoserial)
exploit unsafe Java object
deserialization.
Integrated penetration
testing tool for finding
zaproxy 2.6.0 (https://www.owasp.org/index.php/ZAP)
vulnerabilities in web
applications

(https://github.com/BlackArch) (https://twitter.com/blackarchlinux) (irc://irc.freenode.net

/blackarch) (https://blackarch.org/blog.html) (https://blackarch.org/rss.xml)


BlackArch Linux 2013-2017

11 of 11 6/9/17, 6:54 PM