Important Web Application Security Tools For Hackers

Web application security tools is a branch of Information gathering tools that deals specifically with the security of websites, web applications, and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. These tools are used by security industries to test the vulnerabilities web-based applications.

You will find the list of all the comprehensive Web application security tools that covers scanning, information gathering penetration testing for web applications and performing penetration testing operation in all the corporate environments.

Web Application Security Tools


  • OWASP– The Open Web Application Security Project, an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. Our mission is to make software security visible so that individuals and organizations are able to make informed decisions.

Web Application Firewall

  • Mod Security – Mod Security is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx, and IIS. The module is configured to protect web applications from various attacks
  • NAXSI – NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX, NAXSI means Nginx Anti XSS & SQL Injection.
  • sql_firewall –SQL Firewall Extension for PostgreSQL
  • Ironbee – Ironbee is an open source project to build a universal Web Application Security Tools. Ironbee as a framework for developing a system for securing web applications – a framework for building a web application firewall (WAF).

Scanning / Pentesting

  • sqlmap – Sqlmap is one of the most popular and powerful SQL injection automation tools. Given a vulnerable HTTP request URL, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions commands on the operating system.
  • ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated Web Application Security Tools for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • w3af – w3af (web application attack and audit framework) is an open source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities for use in penetration testing engagements.
  • Recon-ng – It is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
  • PTF – The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
  • Infection Monkey – A semi-automatic pen testing tool for mapping/pen-testing networks. Simulates a human attacker.
  • ACSTIS – ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.

Runtime Application Self-Protection

  • Sqreen – Sqreen is a Runtime Application Self-Protection (RASP) solution for software teams. An in-app agent instruments and monitors the app. Suspicious user activities are reported and attacks are blocked at runtime without code modification or traffic redirection.


  • Secure by Design – Book that identifies design patterns and coding styles that make lots of security vulnerabilities less likely. (early access, published continuously, final release fall 2017)
  • Securing DevOps – Book that explores how the techniques of DevOps and Security should be applied together to make cloud services safer. (early access, published continuously, final release January 2018)
  • Understanding API Security – a Free eBook sampler that gives some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.

Big Data

  • data_hacking – Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data.
  • hadoop-pcap – Hadoop library to read packet capture (PCAP) files.
  • Workbench – A scalable python framework for security research and development teams.
  • OpenSOC – OpenSOC integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis.
  • Apache Metron (incubating) – Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis.
  • Apache Spot (incubating) – Apache Spot is open source software for leveraging insights from flow and packet analysis.
  • binarypig – Scalable Binary Data Extraction in Hadoop. Malware Processing and Analytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsearch.

Developer OS

  • Securing DevOps – A book on Security techniques for DevOps that reviews state of the art practices used in securing web applications and their infrastructure.




Cheat Sheets

Docker images for Penetration Testing



Online Hacking Demonstration Sites



Security Ruby on Rails

credits: GBHackers

CEH Course In pune | Slink

Ashwini Gurne

Ashwini Gurne is a software developer and also a contributor for Security leaks. As a contributor, her aim is to work on latest technologies and to spread cyber awareness among general public.

Leave a Reply

Your email address will not be published. Required fields are marked *