Common web application security testing tools

There are tons of tools available for performing web application security testing. Some of them are freeware/open-source while some are commercially available. The following table lists some of the basic tools that can be used effectively for performing web application security testing. Most of these tools are part of the default Kali Linux installation:


Tools required

Information gathering

Nikto, web developer plugin, Wappalyzer


ZAP, Burp Suite


ZAP, Burp Suite

Session management

Burp Suite web developer plugin, OWASP CSRFTester, WebScarab

Input validation

XSSMe, SQLMe, Paros, IBM AppScan, SQLMap, Burp Suite



Business logic

Manual testing using ZAP or Burp Suite

Auditing and logging

Manual assessment

Web services

WSDigger, IBM AppScan web service scanner


Hash identifier, weak cipher tester