6 practical tools for web application security

hacker tools
hacker tools

Last updated: January 1, 2023

Here I will present a list of software and tools that are used by pentesters to you. Tools allowing to detect the flaws of a server, analyze a website and correct the vulnerabilities found.

If you are passionate about computer security, this list is sure to please you. It is best to have the Kali Linux distribution installed on a virtual machine.

Without further ado, here are some tools you need to scan and detect vulnerabilities in a web application :

1. The Mole

The Mole is an automatic tool for exploiting SQL injections. It is by providing a vulnerable link or a valid address of the targeted site that we can test the injection and why not exploit it. Either by using a union type technique, or a technique based on Boolean queries.

This tool works on databases such as MySQL, SQL Server, PostgreSQL and Oracle.

2. WPScan

WPScan is a vulnerability scanner specially designed for WordPress. Written in ruby. It is able to find the vulnerabilities present on a WordPress website, list the plugins used and give you the associated security loopholes. To learn more, read our article on WPScan

3. Joomscan Security Scanner

Joomscan Security Scanner is a website auditing tool for joomla, it is written in perl and is capable of detecting over 550 vulnerabilities such as file inclusions, SQL injections, RFI, LFI flaws, attacks XSS, blind sql injection, protection of directories and others. To find out more, I invite you to read the article on Joomscan

4. Uniscan

Uniscan is an open source vulnerability scanner for web applications. Written in perl, it was For his tests, designed to detect flaws RFI, LFI, RCE, XSS and SQL injections.

This will identify the pages of the site via a crawler and will check the ignored file extensions, the GET and POST methods of the pages. It supports SSL requests as well asproxy usage.

If you want to use it under Kali Linux, go to the tab:

Applications -> BackTrack -> Vulnerability Assessment -> Web Application assessment -> Web Vulnerability Scanners -> Uniscan

5. W3af (Web Application Attack & Audit Framework)

w3af (Web Application Attack & Audit Framework) is a project which aims to create a framework to find and exploit the vulnerabilities of a web application. You can use it under BackTrack 5.

Applications -> BackTrack -> Vulnerability Assessment -> Web Application assessment -> Web Vulnerability Scanners -> W3af gui


Havij is an automated SQL injection tool that allows penetration testers to find and exploit SQL injection vulnerabilities on a website.

The power of havij What makes it different from other similar tools are its injection methods. The success rate of an SQL injection is over 95%. To learn more follow our article on the use of havij.