Web Application Tools
πΈοΈ OWASP ZAP
The most widely-used web application security testing tool.
What it finds:
- Cross-site scripting (XSS)
- SQL injection
- Cross-site request forgery (CSRF)
- Security misconfigurations
- Information disclosure
- Authentication issues
Docker image: zaproxy/zap-stable
π― Nuclei
Template-based vulnerability detection engine with 8,000+ community templates.
What it finds:
- Known CVEs in web frameworks and CMS
- Exposed configuration files
- Default credentials
- API key leaks in responses
- Technology-specific misconfigurations
Docker image: projectdiscovery/nuclei
π Nikto
Classic web server assessment tool.
What it finds:
- Dangerous default files (
/phpinfo.php,/.env, etc.) - Outdated server software
- Server misconfigurations
- Common CGI vulnerabilities
Docker image: secfigo/nikto
π FFUF
Fast web fuzzer for content discovery.
What it finds:
- Hidden directories and files
- Backup files (
.bak,.old,.sql) - Admin panels
- API endpoints not linked from the main application
Docker image: ffuf/ffuf
π‘οΈ OpenVAS
Full-featured vulnerability assessment system.
What it finds:
- Network vulnerabilities across all protocols
- Missing patches
- Service-level vulnerabilities
- Compliance checks
Docker image: greenbone/openvas-scanner
π§ PentestTools
IntegSec's custom vulnerability toolkit.
What it finds:
- Additional checks that complement the open-source tools
- Web application vulnerabilities
- Infrastructure issues
Docker image: turbopentest.azurecr.io/pentesttools