Symantec Internet Security Threat Report 2017 raised their website scanned this year, 76 percent of malicious software. If you are using WordPress, SUCURI separate report also showed that over 70% of sites are scanned and there are also one or more vulnerabilities.
If you happen to be the owner of a network application, how to ensure your site is safe and does not disclose sensitive information?
If the cloud-based security solution, then you may only need routine leak sweep. But if not, we must perform a routine scan, to take the necessary action to reduce security risks.
Of course, many pay scanner function will be more comprehensive, rigorous, contains report output, alarm, detailed contingency guides, and additional features.
The biggest drawback is the open source tool vulnerability database software may not be paid less comprehensive.
1. arachnia
Arachni is a Ruby-based framework for high-performance security scanner built for modern Web applications. It can be used for Mac, Windows and Linux systems, portable binary file.
Arachni can not only scan the basic static website or CMS, is also able to do the identification of these platforms fingerprint information ((hard drive serial number and network card physical address)) of. And supports both active and passive check inspection.
Windows, Solaris, Linux, BSD, Unix
Nginx、Apache、Tomcat、IIS、Jetty
Java、Ruby、Python、ASP、PHP
Django、Rails、CherryPy、CakePHP、ASP.NET MVC、Symfony
Vulnerability detection of the type generally include:
NoSQL/Blind/SQL/Code/LDAP/Command/XPath注入
Cross-site request forgery
Path Traversal
Local / Remote File Inclusion
Response splitting
Cross-site scripting
Unverified redirect DOM
Source Code Disclosure
In addition, you can select the output HTML, XML, Text, JSON, YAML and other audit reporting format.
Arachni help us in the form of plug-ins to extend the scanning range to a deeper level.
2. XssPy
A powerful fact is, Microsoft, Stanford, Motorola, Informatica, and many large enterprises are using this python-based XSS (cross site scripting) vulnerability scanner. Its talented writers Faizan Ahmad, XssPy is a very intelligent tool, not only to check the home page or a given page, but also be able to check all the links on the website and sub-domains. Therefore, XssPy very detailed and wide scanning range.
3. w3af
w3af is from the end of 2006 to start a Python-based open source project, available for Linux and Windows systems. w3af 200 capable of detecting multiple vulnerabilities, including the OWASP top 10 mentioned.
w3af can help you to inject the payload header, URL, cookies, query strings, post-data, etc., to audit the use of a Web application, and supports various recording methods to complete the report, such as:
CSV
HTML
Console
Text
XML
This program is built on a plug-in architecture, all available plug-ins address: click here.
4. Nobody
I believe many people Nikto is no stranger, which is made Netsparker (specializing in web security scanner company headquartered coordinate UK) sponsored open source project, aimed at discovering Web server configuration error, plug-ins and Web vulnerabilities. Nikto risk for more than 6,500 projects conducted comprehensive testing. HTTP proxy support, SSL, or NTLM authentication, etc., but also to determine the maximum execution time of each target scan.
Nikto also applies to Kali Linux.
Nikto Find web server security risks in the enterprise networking solutions in very broad application prospects.
5. Wfuzz
Wfuzz (Web Fuzzer) is an application penetration assessment tools will be used. It can obfuscate HTTP request for data in any field, a review of Web applications.
Wfuzz Python be installed on the computer being scanned. The use of specific guidelines can be found in this: link.
6. OWASP ZAP
ZAP (Zet Attack Proxy) is the world's hundreds of volunteer programmers in one of the famous tool for penetration testing positive update maintenance. It is a cross-platform Java tool, even run on Raspberry Pi. ZAP between the browser and the Web application to intercept and inspect messages.
ZAP is worth mentioning excellent features:
Fuzzer
Automatic and passive scanning
Support multiple scripting languages
Forced browsing (forced browsing)
7. Wapiti
Wapiti scan a specific landing page, look for scripts and forms can inject data in order to verify the existence of which loopholes. It is not the source code for the security check, but performs black box scan.
Support GET and POST HTTP request method, HTTP, and HTTPS proxy and multiple certification.
8. Vega
Vega was developed by Subgraph, Subgraph is a multi-platform written in Java support tools for finding XSS, SQLi, RFI and many other loopholes.
Vega GUI relatively appearance. It can perform automatic scans after an application by a particular login credentials.
If you understand the development, the attack can also create a new module uses vega API.
9. SQLmap
As the name suggests, we can carry out penetration testing and vulnerability database to find help sqlmap.
Python support on all operating system 2.6 or 2.7. If you are looking for database and SQL injection exploits, sqlmap is a good assistant.
10. Grabber
It is also a Python did a good job of gadgets. Here are some of the features:
JavaScript source code analyzer
Cross-site scripting, SQL injection, SQL blinds
Use PHP-SAT PHP application testing
Download: click here.
11. Golismero
Here are some popular security tools of a framework to manage and run Wfuzz, DNS recon, sqlmap, OpenVas, robotic analyzer and so on.
Golismero very intelligent, able to integrate other test feedback tools, the output of a unified result.
12. OWASP Xenotix XSS
OWASP's Xenotix XSS is a high-level framework for finding and utilizing cross-site scripting, it built three intelligent fuzzy controller for fast scanning and optimization results.
This tool has hundreds of functions
Network security is essential for online business, I hope above these free-drain sweep program can help our readers discover risk, vulnerability remediation is complete before being used in a malicious person.
Domestic and website security penetration testing, vulnerability scanning product summary Daquan
By 2016 website security report shows that domestic websites every day by being black is linked to Malaysia increased to 20 million pages, site security is increasingly important, especially learning greatly stressed repeatedly Wuzhen Internet Conference on Internet security, more and more Internet security conference, CCTV news reports will often security-related news, but how to tell if a site is secure it, which requires a third-party utility to scan, following the introduction of the more famous at home and abroad about the list of security penetration scanning products.
Foreign websites security penetration testing, vulnerability scanning products:
Nessus: Nessus is the world's most widely used system vulnerability scanning and analysis software. A total of more than 75,000 organizations use Nessus to scan the institution as a computer systems software.
nmap: nmap is a lot of tools hackers love to use, hackers will use nmap to collect the target computer's network settings so that the planned method of attack.
Veracode: Veracode provides a cloud-based application security testing platform. No need to purchase hardware, no software to install, customers can immediately start using the test and remediation applications, in addition Veracode provides automated static and dynamic application security testing software and remediation services.
CAIN: very set on password cracking techniques;
AppScan: IBM AppScan is developed for scanning web application infrastructure, but also the security industry penetration carry handle products;
Nikto: Nikto is an open source (GPL) web page the server scanner, it can be more comprehensive web server for scanning;
parosproxy: parosproxy, which is a Web application vulnerabilities proxy program evaluation;
WebScarab: WebScarab it detects content recording session, the user can forms to view records;
WebInspect: HP's security product penetration, running memory-intensive, Xiaojiabiyu on the caution;
Whisker: Whisker is a scanner-based libwhisker, but now we all tend to use Nikto, it is also based on the libwhisker.
BurpSuite: information security professionals is an essential integrated penetration testing tool that uses semi-automatic and automatic test mode testing;
Wikto: Wikto is a Web-based vulnerability scanning tool written in C #;
Acunetix Web Vulnerability Scanner :( referred AWVS) is a well-known network vulnerability scanning tool, it tests your website secure by a web crawler, popular detect security vulnerabilities;
N-Stealth: N-Stealth is a commercial Web server security scanner.
Nessus
Nessus: Nessus is the world's most widely used system vulnerability scanning and analysis software. A total of more than 75,000 organizations use Nessus to scan the institution as a computer systems software.
Simultaneously on a local or remote remote control, the scanning system vulnerability analysis. Its operational efficiency and can adjust itself with the resources of the system. If the host to add more resources (such as CPU speed to accelerate or increase the memory size), because of its rich resources efficiency performance can be improved; can be defined plug (Plug-in) self; full support for SSL (Secure Socket Layer).
nmap
can quickly scan large networks, a novel way to use raw IP packets to detect which host on the network, those hosts to provide what services (application name and version) those services running on what operating system (including version information), they use what type of packet filters / firewalls, and a bunch of other functions. While Nmap is used for security audits, many system administrators and network administrators can also use it to do some routine work, such as viewing information across the network, managing service upgrade plans, and operational monitoring hosts and services.
In addition to ports table, Nmap can provide further information about the target machine, including reverse domain name, operating system guesses, device types, and MAC address. 
Veracode
Veracode provides a scalable and cost-effective software security planning for developers, process and technology. Veracode provides a cloud-based application security testing platform. No need to purchase hardware, no software to install, customers can immediately start using the test and remediation applications, in addition Veracode provides automated static and dynamic application security testing software and remediation services. There are: Veracode Static static analysis, Veracode Dynamic dynamic analysis, Veracode DynamicMP dynamic multi-processor, Veracode Analytics application intelligence analysis, Veracode Policy Network security policy manager, Veracode APIs application program interface test tools.
CAIN
crack screensavers, PWL passwords, share passwords, cached passwords, remote shares passwords, SMB password, support VNC Password Decoder, Cisco Type-7 Password Decoder, Base64 Password Decoder, SQL Server 7.0 / 2000 Password Decoder, Remote Desktop Password Decoder, Access Database password decoder, Cisco PIX Firewall password decoder, Cisco MD5 decoding, NTLM Session Security password decoder, IKE Aggressive Mode Pre-Shared Keys password decoder, Dialup password decoder, remote Desktop password decoder comprehensive tool, you can also remotely hack can hang Dictionary and brute force.
Its extremely powerful sniffer can capture all account passwords in plain text, including FTP, HTTP, IMAP, POP3, SMB, TELNET, VNC, TDS, SMTP, MSKERB5- PREAUTH, MSN, RADIUS-KEYS, RADIUS-USERS, ICQ, IKE Aggressive Mode Pre-Shared Keys authentications, etc.
AppScan
AppScan is developed by IBM for Infrastructure scan web applications for security vulnerability testing and provide practical reports and recommendations. AppScan's scanning capabilities, zero-day patch upgrades, configuration wizards and detailed reporting systems have been integrated, ease of use, enhanced user productivity, help protect the security and web application infrastructure. 
Nikto:
This is an open source Web server scanner, it can be a variety of projects for the Web server (including 3500 potentially dangerous files / CGI, as well as more than 900 server version, and version specific problems on over 250 servers ) to conduct a comprehensive test. Scan items and plugins that is frequently updated and can be automatically updated (if necessary). Nikto can test your Web server in the shortest possible period, which is quite obvious in its log file. However, if you want to test (or test your IDS system), it can also support LibWhisker anti-IDS methods.
However, not every inspection can identify a security problem, although in most cases like this. Some items are only available information ( "info only") type of inspection, the inspection can find some of the projects are not a security vulnerability, but Web administrators or security engineers do not know. These items can usually be appropriately marked. It saves us a lot of trouble. 
parosproxy
agent parosproxy This is an ongoing assessment of the vulnerability of Web applications, that is a Java-based web agent, you can assess the vulnerability of Web applications. It supports dynamic editing / viewing HTTP / HTTPS, thus changing the cookies and form fields and other projects. It includes a Web traffic logger, Web snare program (spider), hash calculator, and a scanner can test common Web application attacks (such as SQL injection attacks and cross-site scripting attacks). The tool examines the vulnerability forms include: SQL injection, cross-site scripting attacks, directory traversal, CRLF - Carriage-Return Line- Feed carriage return line feed.
WebScarab
it can be analyzed using HTTP and HTTPS protocol for communication applications, it may be WebScarab simplest form it is recording session viewed, and allows the operator to check the session concept in various manners. If you need to observe a running state based HTTP (S) application, then you WebScarabi to meet this need. Whether it is to help developers debug other aspects of the problem, or allow security professionals to identify vulnerabilities, it is a good tool.
Webinspect
large HP's security scanning products, which is a powerful Web application scanner. SPI Dynamics of this application security assessment tool help identify Web application known and unknown vulnerabilities. It also can check a Web server is configured correctly, and will try some common Web attacks, such as parameter injection, cross-site scripting, directory traversal attacks (directory traversal), and so on.
Burpsuite
Burp Suite is an integrated platform for attacking web applications. It contains a number of tools, and designed a number of interfaces for these tools to facilitate the application process to speed up the attack. All tools are capable of processing and displaying a shared HTTP messages, persistence, authentication, proxy log, a powerful and extensible framework alarms. 
Wikto
can say that this is a Web server assessment tool that can check the Web server vulnerabilities, and provides many features like Nikto, added many interesting features section, such as the back-end miner and close Google integration. It is HTTP: // MS.NET environment to write, but users need to register to download the binaries and source code.
Acunetix Web Vulnerability Scanner
referred WVS, which is a commercial-grade Web Vulnerability Scanner, which can check the Web application vulnerabilities such as SQL injection, cross-site scripting attacks, weak password length on the authentication page. It has convenient operation of a graphical user interface, and the ability to create professional-level Web site security audit report. 
N-Stealth
N-Stealth is a commercial Web server security scanning program. It is, as more than a few free Web Scanner Whisker / libwhisker, Nikto and other upgrades frequency, it claims contains "30,000 vulnerabilities and loopholes in the program" as well as "increasing every day to check a lot of loopholes," but this argument is questionable . Also note that virtually all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, Sara and so contain Web scanning components. (Although these tools are not always able to keep the software updated, not necessarily very flexible.) N-Stealth main provider of scanning for the Windows platform, but does not provide the source code.
As Nessus, ISS Internet Scanner, Retina, SAINT, Sara so Web comprising scanning means. (Although these
tools are not always able to keep the software updated, not necessarily very flexible.) N-Stealth main provider of scanning for the Windows platform, but
does not provide the source code.
Domestic websites security penetration testing, vulnerability scanning products:
Huawei: the main business areas of firewall, intrusion detection / intrusion prevention, unified threat management, anti-DDoS, VPN, cloud WAF.
Venus: The main business areas firewalls, network isolation, intrusion detection / intrusion prevention, unified threat management, anti-DDoS, database security, data leakage prevention, vulnerability scanning, SOC & NGSOC and to assess and reinforce security operation and maintenance services.
Deeply convinced: the main business areas, firewall, unified threat management, Internet behavior management, VPN, mobile terminal security.
Green League and Technology: The main business areas, firewall, intrusion detection / intrusion prevention, unified threat management, host security (configuration verification, host protection), anti-DDoS, database security, vulnerability scanning, Web application scanning and monitoring, Web application firewall, and security consultation, evaluation and strengthening security operation and maintenance services.
360 Enterprise Security: The main business areas firewalls, network isolation, terminal detection response EDR, Web application scanning and monitoring, Cloud WAF, mobile APP security, threat intelligence, security, big data analysis (APT), SOC & NGSOC, and provide penetration testing services.
AsiaInfo Security: The main business areas, unified threat management, host security (configuration verification, host protection), terminal & anti-virus protection, data leak prevention, fortress machine / safe operation and maintenance, mobile terminal security, anti-phishing, SOC & NGSOC.
Westone: The main business areas: firewall, intrusion detection / intrusion prevention, VPN, data encryption, document security, encryption machine.
Talent: The main business areas, firewalls, network isolation, intrusion detection / intrusion prevention, Internet behavior management, VPN and assessing and strengthening security operation and maintenance services.
H3C: The main business areas firewall, intrusion detection / intrusion prevention, unified threat management and VPN.
Arnhem: The main business areas of database security, Web application scanning and monitoring, Web application firewall, big data analysis (situational awareness), level of protection tools.