🌐
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › v41 › 6-Appendix › A-Testing_Tools_Resource
Testing Tools Resource
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other ...
🌐
OWASP Foundation
owasp.org › www-community › Free_for_Open_Source_Application_Security_Tools
Free for Open Source Application Security Tools | OWASP Foundation
Our primary recommendation is to use one of these: ZAP by Checkmarx - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing...
🌐
OWASP Foundation
owasp.org › www-community › Vulnerability_Scanning_Tools
Vulnerability Scanning Tools | OWASP Foundation
This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.
🌐
OWASP
mas.owasp.org › MASTG › tools
Testing Tools - OWASP Mobile Application Security
The OWASP MASTG includes many tools to assist you in executing test cases, allowing you to perform static analysis, dynamic analysis, network interception, etc. These tools are intended to help you perform your own assessments, rather than provide a conclusive result on the security status ...
🌐
Beagle Security
beaglesecurity.com › blog › article › best-owasp-security-testing-tools.html
The 6 best OWASP security testing tools in 2026
In 2026, the security tooling ecosystem spans dynamic analysis tools (DAST), static scanners (SAST), interactive testing (IAST), automated penetration testing engines, and full-fledged offensive security platforms.
🌐
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › latest › 6-Appendix › A-Testing_Tools_Resource
WSTG - Latest | OWASP Foundation
Official documentation and learning resources for the ZAP (Zed Attack Proxy) dynamic application security testing tool. ... A large open-source repository of vulnerability detection templates used for automated security scanning.
🌐
OWASP
owasp.org › www-project-web-security-testing-guide › stable › 6-Appendix › A-Testing_Tools_Resource
WSTG - Stable | OWASP Foundation
Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients. ... View HTTP headers of a page and while browsing. ... The Web Developer extension adds various web developer tools to the browser.
🌐
OWASP
owasp.org › www-project-web-security-testing-guide › v42 › 6-Appendix › A-Testing_Tools_Resource
WSTG - v4.2 | OWASP Foundation
Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients. ... View HTTP headers of a page and while browsing. ... The Web Developer extension adds various web developer tools to the browser.
🌐
HostedScan
hostedscan.com › owasp-vulnerability-scan
OWASP Online Scan - HostedScan Security
ZAP is the industry-standard open-source dynamic application security testing tool trusted by security teams worldwide, covering SQL injection, XSS, and dozens of other vulnerability classes.
Find elsewhere
🌐
GitHub
github.com › OWASP › Nettacker
GitHub - OWASP/Nettacker: Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management · GitHub
Nettacker automates tasks like port scanning, service detection, subdomain enumeration, network mapping, vulnerability scanning, credential brute-force testing making it a powerful tool for identifying weaknesses in networks, web applications, ...
Starred by 5.4K users
Forked by 1.1K users
Languages   Python 72.5% | CSS 17.9% | JavaScript 9.2%
🌐
Veracode
veracode.com › home › platform
Veracode | Application Risk Management Platform
October 25, 2024 - Secure coding from inception, slashing risks by 60%. Readily integrates with over 40 tools, delivering real-time, precise feedback with low false positives.
🌐
Beddinginn
outlet.beddinginn.com › favorite-finds › owasp-testing-tools-a-comprehensive-guide-to-web-application-security-assessment › amp
OWASP Testing Tools: A Comprehensive Guide to Web Application Security Assessment | outlet.beddinginn
October 16, 2025 - Its features include an automated scanner for vulnerabilities like SQL Injection and Cross-Site Scripting (XSS), a passive scanner that monitors traffic for potential issues, a fuzzer for input validation testing, and a powerful scripting engine for automation and advanced attacks. OWASP Dependency-Check: In modern development, applications are built using a vast array of third-party libraries and components. This tool is essential for identifying project dependencies and checking if there are any known, publicly disclosed vulnerabilities associated with them.
🌐
Intruder
intruder.io › product › owasp-top-10-vulnerability-scanner
OWASP Top 10 Scanner Online | Try for free - Intruder.io
Vulnerabilities within applications are one of the most popular attack vectors. Intruder performs automated scans for web apps and APIs to check for thousands of infrastructure weaknesses and 75+ application issues, including OWASP Top 10 vulnerabilities.
🌐
OWASP
owasp.org › www-project-penetration-testing-kit
OWASP Penetration Testing Kit | OWASP Foundation
The OWASP Penetration Testing Kit (PTK) browser extension is your all-in-one solution for streamlining your daily AppSec tasks.
🌐
OWASP
owasp.org › www-project-security-culture › v10 › 7-Security_Testing
OWASP Security Culture | Security testing
IDE plugin: part of a Static Application Security Testing (SAST) tool that highlights secure coding recommendations in real time within the developer's Integrated Development Environment as they write code · Static Application Security Testing (SAST): provides feedback upon commit of source code. For more details see OWASP Source Code Analysis Tools
🌐
Cyolo
cyolo.io › home › blog › the owasp web security testing guide: how to get started and improve application security
The OWASP Web Security Testing Guide: How to Get Started and Improve Application Security | Cyolo
February 17, 2025 - Links to Testing Tools: OWASP ZAP, Burp Suite, Firefox and Chrome Extensions, sqlmap, John the Ripper, hashcat, Wfuzz, wget, Kali, Parrot, and so on.
🌐
Jit
jit.io › resources › owasp-zap › 6-essential-steps-to-use-owasp-zap-for-penetration-testing
How to Use OWASP ZAP for Penetration Testing | Jit
September 8, 2025 - With OWASP ZAP, you can use a ZAP spider or the AJAX spider. So what’s the difference? ZAP spider is a web crawler that can automatically find security vulnerabilities in web applications.
🌐
OX Security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
May 14, 2026 - It’s positioned as a security automation layer for AppSec and DevSecOps teams that need to test hundreds of apps with minimal manual triage. Invicti also supports multi-tenant environments, centralized policy management, and SLA-based reporting, which makes it particularly effective for organizations with distributed application security ownership. Proof-based vulnerability validation to eliminate false positives. Deep scanning for OWASP Top 10, API misconfigurations, and CORS issues.
🌐
OWASP
owasp.org › www-project-security-culture › v11 › 7-Security_Testing
OWASP Security Culture | OWASP Foundation
IDE plugin: part of a Static Application Security Testing (SAST) tool that highlights secure coding recommendations in real time within the developer's Integrated Development Environment as they write code · Static Application Security Testing (SAST): provides feedback upon commit of source code. For more details see OWASP Source Code Analysis Tools
🌐
Chrome Web Store
chromewebstore.google.com › detail › owasp-penetration-testing › ojkchikaholjmcnefhjlbohackpeeknd
OWASP Penetration Testing Kit - Chrome Web Store
ExtensionDeveloper Tools20,000 users · Add to Chrome · OWASP Penetration Testing Kit · The OWASP Penetration Testing Kit (PTK) browser extension is your all-in-one solution for streamlining your daily AppSec tasks.