- It’s Free and Open source
- GUI based and very easy to use, no security expertise required
- Powerful and effective scanning engine
- Supports recording Login sequence
- Reporting in both HTML and RTF formats
- Checks for over 25 different kinds of well known web vulnerabilities
- False Positives detection support
- False Negatives detection suppport
- Industry leading built-in scripting engine that supports Python and Ruby
- Extensibile via plug-ins or modules in Python, Ruby, C# or VB.NET
- Comes bundled with a growing number of Modules built by researchers in the security community.
- WiHawk – WiFi Router Vulnerability Scanner by Anamika Singh
- XmlChor – Automatic XPATH Injection Exploitation Tool by Harshal Jamdade
- IronSAP – SAP Security Scanner by Prasanna K
- SSL Security Checker – Scanner to discover vulnerabilities in SSL installations by Manish Saindane
- OWASP Skanda – Automatic SSRF Exploitation Tool by Jayesh Singh Chauhan
- CSRF PoC Generator – Tool for automatically generating exploits for CSRF vulnerabilities by Jayesh Singh Chauhan
- HAWAS – Tool for automatically detecting and decoding encoded strings and hashes in websites by Lavakumar Kuppan
The False Positive Detection Support is provided by the scanner giving precise and detailed information on how a vulnerability was detected and why it was reported along with instructions on how to test if it is a False Positive.
Details on how these systems function and achieve their claimed goals is available below. But before that, if you are not very familiar with how web security scanners work and why False Positives and False Negatives occur, then the next section will bring you up to speed.
False Positives and False Negatives are an unfortunate reality with web vulnerability scanners. Before we delve into the details let’s clarify the terminology first.
When a scanner reports that a particular vulnerability is present on the scanned application but in reality this vulnerability does not exist in the application, it is called a False Positive.
False Positives occur when a scanner incorrectly determines that a vulnerability is present in an application.
When a vulnerability is actually present in an application but a scanner fails to detect its presence, it is called a False Negative.