0d1n|189.61913dc|Web security tool to make fuzzing at HTTP inputs, made in C with libCurl.|https://github.com/CoolerVoid/0d1n
adfind|11.b38db67|Admin Panel Finder.|https://github.com/sahakkhotsanyan/adfind
adminpagefinder|0.1|This python script looks for a large amount of possible administrative interfaces on a given site.|http://packetstormsecurity.com/files/112855/Admin-Page-Finder-Script.html
albatar|18.5a65ce4|A SQLi exploitation framework in Python.|https://github.com/lanjelot/albatar
arachni|1.4.4.gcd7b47b|A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.|https://www.arachni-scanner.com
bbqsql|259.4f7c086|SQL injection exploit tool.|https://github.com/neohapsis/bbqsql
bbscan|11.be218a8|A tiny Batch weB vulnerability Scanner.|https://github.com/lijiejie/bbscan
bing-lfi-rfi|0.1|This is a python script for searching Bing for sites that may have local and remote file inclusion vulnerabilities.|http://packetstormsecurity.com/files/121590/Bing-LFI-RFI-Scanner.html
bsqlbf|2.7|Blind SQL Injection Brute Forcer.|http://code.google.com/p/bsqlbf-v2/
bsqlinjector|8.5dc3f27|Blind SQL injection exploitation tool written in ruby.|https://github.com/enjoiz/BSQLinjector
cansina|139.47f6ac8|A python-based Web Content Discovery Tool.|https://github.com/deibit/cansina
cjexploiter|4.fe2b191|Drag and Drop ClickJacking exploit development assistance tool.|https://github.com/enddo/CJExploiter
cloudget|53.807d08e|Python script to bypass cloudflare from command line. Built upon cfscrape module.|https://github.com/eudemonics/cloudget
cms-few|0.1|Joomla, Mambo, PHP-Nuke, and XOOPS CMS SQL injection vulnerability scanning tool written in Python.|http://packetstormsecurity.com/files/64722/cms_few.py.txt.html
cmsfuzz|5.6be5a98|Fuzzer for wordpress, cold fusion, drupal, joomla, and phpnuke.|https://github.com/nahamsec/CMSFuzz
commix|584.4d00701|Automated All-in-One OS Command Injection and Exploitation Tool.|https://github.com/stasinopoulos/commix
crawlic|45.38944f0|Web recon tool (find temporary files, parse robots.txt, search folders, google dorks and search domains hosted on same server).|https://github.com/Ganapati/Crawlic
csrftester|1.0|The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.|http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project
darkjumper|5.8|This tool will try to find every website that host at the same server at your target|http://sourceforge.net/projects/darkjumper/
dff-scanner|1.1|Tool for finding path of predictable resource locations.|http://netsec.rs/70/tools.html
dirbuster-ng|9.0c34920|C CLI implementation of the Java dirbuster tool.|https://github.com/digination/dirbuster-ng
dirs3arch|151.e2ff186|HTTP(S) directory/file brute forcer.|https://github.com/maurosoria/dirs3arch
domi-owned|24.e87c358|A tool used for compromising IBM/Lotus Domino servers.|https://github.com/coldfusion39/domi-owned
doork|4.3e2d70a|Passive Vulnerability Auditor.|https://github.com/AeonDave/doork
drupalscan|0.5.2|Simple non-intrusive Drupal scanner.|https://rubygems.org/gems/DrupalScan/
dsfs|32.e27d6cb|A fully functional File inclusion vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.|https://github.com/stamparm/DSFS
dsjs|21.79cb2c4|A fully functional JavaScript library vulnerability scanner written in under 100 lines of code.|https://github.com/stamparm/DSJS
dsss|116.6d14edb|A fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.|https://github.com/stamparm/DSSS
dsxs|116.21427d6|A fully functional Cross-site scripting vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.|https://github.com/stamparm/DSXS
epicwebhoneypot|2.0a|Tool which aims to lure attackers using various types of web vulnerability scanners by tricking them into believing that they have found a vulnerability on a host.|http://sourceforge.net/projects/epicwebhoneypot/
eyewitness|518.b84b21e|Designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.|https://github.com/ChrisTruncer/EyeWitness
fbht|68.1ffc236|A Facebook Hacking Tool|https://github.com/chinoogawa/fbht-linux
fhttp|1.3|This is a framework for HTTP related attacks. It is written in Perl with a GTK interface, has a proxy for debugging and manipulation, proxy chaining, evasion rules, and more.|http://packetstormsecurity.com/files/104315/FHTTP-Attack-Tool.3.html
ghost-py|0.2.3|Webkit based webclient (relies on PyQT).|http://jeanphix.github.com/Ghost.py/
golismero|40.ece1eba|Opensource web security testing framework.|https://github.com/golismero/golismero
grabber|0.1|A web application scanner. Basically it detects some kind of vulnerabilities in your website.|http://rgaucher.info/beta/grabber/
htcap|12.952aa27|A web application analysis tool for detecting communications between javascript and the server.|https://github.com/segment-srl/htcap
httpforge|11.02.01|A set of shell tools that let you manipulate, send, receive, and analyze HTTP messages. These tools can be used to test, discover, and assert the security of Web servers, apps, and sites. An accompanying Python library is available for extensions.|http://packetstormsecurity.com/files/98109/HTTPForge.02.01.html
httppwnly|28.8c105f4|"Repeater" style XSS post-exploitation tool for mass browser control.|https://github.com/Danladi/HttpPwnly
isr-form|1.0|Simple html parsing tool that extracts all form related information and generates reports of the data. Allows for quick analyzing of data.|http://www.infobyte.com.ar/
jaidam|10.a7d7c4a|Penetration testing tool that would take as input a list of domain names, scan them, determine if wordpress or joomla platform was used and finally check them automatically, for web vulnerabilities using two well-known open source tools, WPScan and Joomscan.|https://github.com/stasinopoulos/jaidam
jomplug|0.1|This php script fingerprints a given Joomla system and then uses Packet Storm's archive to check for bugs related to the installed components.|http://packetstormsecurity.com/files/121390/Janissaries-Joomla-Fingerprint-Tool.html
jooforce|11.43c21ad|A Joomla password brute force tester.|https://github.com/rastating/jooforce
joomlascan|1.2|Joomla scanner scans for known vulnerable remote file inclusion paths and files.|http://packetstormsecurity.com/files/62126/joomlascan.2.py.txt.html
joomlavs|209.2a7f03e|A black box, Ruby powered, Joomla vulnerability scanner.|https://github.com/rastating/joomlavs
joomscan|2012.03.10|Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site.|http://joomscan.sourceforge.net/
kadimus|50.5897871|LFI Scan & Exploit Tool.|https://github.com/P0cL4bs/Kadimus
kolkata|3.0|A web application fingerprinting engine written in Perl that combines cryptography with IDS evasion.|http://www.blackhatlibrary.net/Kolkata
lfi-exploiter|1.1|This perl script leverages /proc/self/environ to attempt getting code execution out of a local file inclusion vulnerability..|http://packetstormsecurity.com/files/124332/LFI-Exploiter.1.html
lfi-fuzzploit|1.1|A simple tool to help in the fuzzing for, finding, and exploiting of local file inclusion vulnerabilities in Linux-based PHP applications.|http://packetstormsecurity.com/files/106912/LFI-Fuzzploit-Tool.1.html
lfi-image-helper|0.8|A simple script to infect images with PHP Backdoors for local file inclusion attacks.|http://packetstormsecurity.com/files/129871/LFI-Image-Helper.8.html
lfi-sploiter|1.0|This tool helps you exploit LFI (Local File Inclusion) vulnerabilities. Post discovery, simply pass the affected URL and vulnerable parameter to this tool. You can also use this tool to scan a URL for LFI vulnerabilities.|http://packetstormsecurity.com/files/96056/Simple-Local-File-Inclusion-Exploiter.0.html
lfifreak|21.0c6adef|A unique automated LFi Exploiter with Bind/Reverse Shells.|https://github.com/OsandaMalith/LFiFreak/
lfimap|1.4.8|This script is used to take the highest beneficts of the local file include vulnerability in a webserver.|https://code.google.com/p/lfimap/
liffy|65.8011cdd|A Local File Inclusion Exploitation tool.|https://github.com/rotlogix/liffy
metoscan|05|Tool for scanning the HTTP methods supported by a webserver. It works by testing a URL and checking the responses for the different requests.|http://www.open-labs.org/
morxtraversal|1.0|Path Traversal checking tool.|http://www.morxploit.com/tools/
multiinjector|0.3|Automatic SQL injection utility using a lsit of URI addresses to test parameter manipulation.|http://chaptersinwebsecurity.blogspot.de/2008/11/multiinjector-v03-released.html
nosqlmap|182.0ff71dc|Automated Mongo database and NoSQL web application exploitation tool|https://github.com/tcstool/NoSQLMap.git
owasp-bywaf|26.e730d1b|A web application penetration testing framework (WAPTF).|https://github.com/depasonico/OWASP-ByWaf
owtf|1017.0bbeea1|The Offensive (Web) Testing Framework.|https://www.owasp.org/index.php/OWASP_OWTF
pappy-proxy|59.f28ab4f|An intercepting proxy for web application testing.|https://github.com/roglew/pappy-proxy
paros|3.2.13|Java-based HTTP/HTTPS proxy for assessing web app vulnerabilities. Supports editing/viewing HTTP messages on-the-fly, spiders, client certificates, proxy-chaining, intelligent scanning for XSS and SQLi, etc.|http://www.parosproxy.org
pblind|1.0|Little utility to help exploiting blind sql injection vulnerabilities.|http://www.edge-security.com/pblind.php
peepingtom|56.bc6f4d8|A tool to take screenshots of websites. Much like eyewitness.|https://bitbucket.org/LaNMaSteR53/peepingtom
phpsploit|686.d61fca7|Stealth post-exploitation framework.|https://github.com/nil0x42/phpsploit
plecost|88.149fd34|Wordpress finger printer Tool.|https://github.com/iniqua/plecost
plown|13.ccf998c|A security scanner for Plone CMS.|https://github.com/unweb/plown
proxenet|589.3e07775|THE REAL hacker friendly proxy for web application pentests.|https://github.com/hugsy/proxenet
pyfiscan|1545.a50e4ea|Free web-application vulnerability and version scanner.|https://github.com/fgeek/pyfiscan
rww-attack|0.9.2|The Remote Web Workplace Attack tool will perform a dictionary attack against a live Microsoft Windows Small Business Server's 'Remote Web Workplace' portal. It currently supports both SBS 2003 and SBS 2008 and includes features to avoid account lock out.|http://packetstormsecurity.com/files/79021/Remote-Web-Workplace-Attack-Tool.html
sawef|28.e65dc9f|Send Attack Web Forms.|https://github.com/danilovazb/sawef
scrapy|1.0.5|A fast high-level scraping and web crawling framework.|http://scrapy.org
secscan|1.5|Web Apps Scanner and Much more utilities.|http://code.google.com/p/secscan-py/
shortfuzzy|0.1|A web fuzzing script written in perl.|http://packetstormsecurity.com/files/104872/Short-Fuzzy-Rat-Scanner.html
spaf|11.671a976|Static Php Analysis and Fuzzer.|https://github.com/Ganapati/spaf
sparty|0.1|An open source tool written in python to audit web applications using sharepoint and frontpage architecture.|http://sparty.secniche.org/
spiga|410.07b9055|Configurable web resource scanner.|https://github.com/getdual/scripts-n-tools/blob/master/spiga.py
spike-proxy|148|A Proxy for detecting vulnerabilities in web applications|http://www.immunitysec.com/resources-freesoftware.shtml
spipscan|69.4ad3235|SPIP (CMS) scanner for penetration testing purpose written in Python.|https://github.com/PaulSec/SPIPScan
sqid|0.3|A SQL injection digger.|http://sqid.rubyforge.org/
sqlmap|1.0.6|Automatic SQL injection and database takeover tool|http://sqlmap.org
themole|0.3|Automatic SQL injection exploitation tool.|http://sourceforge.net/projects/themole/
urlcrazy|0.5|Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.|http://www.morningstarsecurity.com/research/urlcrazy
urldigger|02c|A python tool to extract URL addresses from different HOT sources and/or detect SPAM and malicious code|https://code.google.com/p/urldigger/
vanguard|0.1|A comprehensive web penetration testing tool written in Perl thatidentifies vulnerabilities in web applications.|http://packetstormsecurity.com/files/110603/Vanguard-Pentesting-Scanner.html
vbscan|10.1afac1b|A black box vBulletin vulnerability scanner written in perl.|https://github.com/rezasp/vbscan
vega|1.0|An open source platform to test the security of web applications.|https://github.com/subgraph/Vega/wiki
vsvbp|6.241a7ab|Black box tool for Vulnerability detection in web applications.|https://github.com/varunjammula/VSVBP
wafp|0.01_26c3|An easy to use Web Application Finger Printing tool written in ruby using sqlite3 databases for storing the fingerprints.|http://packetstormsecurity.com/files/84468/Web-Application-Finger-Printer.01-26c3.html
web-soul|2|A plugin based scanner for attacking and data mining web sites written in Perl.|http://packetstormsecurity.com/files/122064/Web-Soul-Scanner.html
webhandler|324.047dddf|A handler for PHP system functions & also an alternative 'netcat' handler.|https://github.com/lnxg33k/webhandler
webslayer|5|A tool designed for brute forcing Web Applications.|https://code.google.com/p/webslayer/
webxploiter|20.41a11d1|An OWASP Top 10 Security scanner.|https://github.com/xionsec/WebXploiter
wig|561.e4e5482|WebApp Information Gatherer.|https://github.com/jekyc/wig
witchxtool|1.1|A perl script that consists of a port scanner, LFI scanner, MD5 bruteforcer, dork SQL injection scanner, fresh proxy scanner, and a dork LFI scanner.|http://packetstormsecurity.com/files/97465/Witchxtool-Port-LFI-SQL-Scanner-And-MD5-Bruteforcing-Tool.1.html
ws-attacker|1.7|A modular framework for web services penetration testing.|http://ws-attacker.sourceforge.net/
xsser|1.7|A penetration testing tool for detecting and exploiting XSS vulnerabilites.|http://xsser.sourceforge.net/
xssless|45.8e7ebe1|An automated XSS payload generator written in python.|https://github.com/mandatoryprogrammer/xssless
xsspy|25.7b1a833|Web Application XSS Scanner.|https://github.com/faizann24/XssPy
xsss|0.40b|A brute force cross site scripting scanner.|http://www.sven.de/xsss/
xssscan|17.7f1ea90|Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS.|https://github.com/gwroblew/detectXSSlib
xsssniper|0.9|An automatic XSS discovery tool|https://github.com/gbrindisi/xsssniper
xssya|12.abe1aec|A Cross Site Scripting Scanner & Vulnerability Confirmation.|https://github.com/yehia-mamdouh/XSSYA
yaaf|7.4d6273a|Yet Another Admin Finder.|https://github.com/Plasticoo/YAAF
yasuo|107.a917a6e|A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.|https://github.com/0xsauby/yasuo
ycrawler|0.1|A web crawler that is useful for grabbing all user supplied input related to a given website and will save the output. It has proxy and log file support.|http://packetstormsecurity.com/files/98546/yCrawler-Web-Crawling-Utility.html
ysoserial|0.0.2|A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.|https://github.com/frohoff/ysoserial
zaproxy|2.5.0|Integrated penetration testing tool for finding vulnerabilities in web applications|https://www.owasp.org/index.php/ZAP