What to look for web application vulnerabilities: compare eight popular scanners

What to look for web application vulnerabilities: compare eight popular scanners

Web application scanners are a rather popular today category of software. There are paid scanners, there are free. Each of them has its own set of parameters and vulnerabilities that can be detected. Some are limited to those published in OWASP Top Ten (Open Web Application Security Project), some go much further in their black-box testing.

In this post, we collected eight popular scanners, reviewed them in detail and tried them out. We chose independent points on two platforms (.NET and php) as training targets: premium.pgabank.com and php.testsparker.com.



As you can guess from the title, the OWASP organization that we mentioned in the introduction is responsible for the release OWASP ZAP. It is a free tool for penetration testing and for finding vulnerabilities in web applications.

Basic OWASP ZAP features:

  • Man-in-the-middle Proxy
  • Traditional and AJAX spiders
  • Automated scanner
  • Passive scanner
  • Forced browsing
  • Fuzzer

Additional Features

The program interface has been translated into Russian, which will be convenient for some users. The OWASP ZAP workspace is composed of several windows. At the bottom there are tabs with current tasks and the process of their execution, on the left – the tree of sites, in addition you can display the right part of the window of queries and answers.



With the help of marketplaces, you can slightly expand the functionality of the scanner.

Each program component has many configurable parameters. For example, we can configure incoming vectors for active scanning, generate dynamic SSL certificates, add HTTP session identifiers, etc.


Let’s move on to the tests. When scanning php.testsparker.com Blind SQL Injection was found. This is the end of critical vulnerabilities.

Full OWASP ZAP results on php.testsparker.com

At premium.bgabank.com we see more interesting results: we found the Server Side Include (SSI) and Reflected Cross Site Scripting feature.

Full OWASP ZAP results on premium.bgabank.com

All scan results can be exported to a report (supports *.pdf, *.html, *.xml, *.json). The report describes in details vulnerabilities, found vectors and methods of vulnerability “closing”.


In general, we liked working with OWASP ZAP. There are all the necessary tools for a web pentesthetic application, a simple and straightforward interface, and fast one click scanning. And at the same time, it has flexible, deep settings for more detailed scanning, which can serve as a starting point for further manual search for vulnerabilities. Below we will talk about Burp Suite Pro scanner, which has a lot in common with OWASP ZAP. In terms of number and quality of vulnerabilities found, the first scanner we considered showed very good results. Recommended for use in work.


W9scan is a free console scan site vulnerabilities with more than 1200 built-in plugins that can detect web page prints, ports, analyze website structure, find various popular vulnerabilities, scan for SQL Injection, XSS, etc.

More complete list of W9scan features

W9scan automatically generates reports on scan results in HTML format. All you need to do to run the scan is specify the URL of the website and the plugins to be used. You can select all at once by adding “all”.



When scanning php.testsparker.com W9scan found svn and possible ways to download payload. From a less critical point of view, he identified versions of the services used, possible vectors for XXE and XXS attacks, found server configuration files, and searched for subdomains.

On the site premium.bgabank.com nothing critical was found. But the scanner detected possible attack vectors, defined service versions, directories and subdomains.

After scanning W9scan automatically generates a report file in HTML format.


W9scan scanner is suitable for quick launch in one command and we recommend to use it as an auxiliary tool for determining service versions and potential attack vectors.


Another good console canner. Just like W9scan, it’s ready to start in one command and has more different scanning settings.

Wapiti searches for the following vulnerabilities:

    • File disclosure (Local and remote include/require, fopen, readfile.)


  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (and permanent)
  • Command Execution detection (eval(), system(), passtru()…)
  • CRLF Injection (HTTP Response Splitting, session fixation…)
  • XXE (XML External Entity) injection
  • SSRF (Server Side Request Forgery)
  • Use of knowing potentially dangerous files
  • Weak .htaccess configurations that can be bypassed
  • Presence of backup files giving sensitive information
  • Shellshock

In addition to all the above there is support for proxy (HTTP, HTTPs and SOCKS5), different authentication methods (Basic, Digest, Kerberos, NTLM), support for SSL certificates, the ability to add different HTTP headers or user-agent settings.

Blind SQL Injection, Cross Site Scripting, Commands execution vulnerabilities were found when scanning php.testsparker.com. On premium.bgabank.com Wapiti compared to other scanners shows not such outstanding results: only Cross Site Scripting was detected.


Scanner also generates HTML report that contains categories and number of found vulnerabilities, their description, queries, commands for curl and tips on how to close found security holes.

As you might expect, Wapiti does not reach OWASP ZAP level. Still, it worked better than W9scan, although there was no search for directories, subdomains, or service versions.



Powerful free combine for web application security test and vulnerability search. It has a graphical interface and huge functionality, which you can read more about in official website.

Active testing:

  • SQL injection – Error based detection
  • Blind SQL injection using differential analysis
  • Blind SQL injection using timing attacks
  • NoSQL injection – Error based vulnerability
  • Blind NoSQL injection using differential analysis

Full list of functions for active testing

Passive testing:

  • Allowed HTTP methods
  • Backup files
  • Backup directories
  • Common administration
  • Common directories
  • Common files

Full list of functions for passive testing

It’s impressive, isn’t it? But that’s not all. There are a lot of other plugins wrapped up in the “web”, such as Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, and others.

The scanner has a nice and concise web interface:

And this is what Arachni found on our test sites. Php.testsparker.com:

  • Cross-Site Scripting (XSS) in script context
  • Blind SQL Injection (differential analysis)
  • Code injection
  • Code injection (timing attack)
  • Operating system command injection (timing attack)
  • Operating system command injection

Other vulnerabilities at php.testsparker.com

At premium.bgabank.com from the critical one only the possibility of cross-site request forgery (CSRF) was detected.

Complete Arachni results on premium.bgabank.com .

Separately, let us note what cute reports Arachni gives us. Many formats are supported – HTML, XML, text, JSON, Marshal, YAML, AFR.

In general, Arachni leaves only positive impressions after work. Our opinion: this is “mast haves” in the arsenal of any self-respecting specialist.


Another scan web vulnerabilities with GUI. By default included in Kali Linux distribution and installed locally. It has a built-in proxy through which to add sites for analysis, a built-in web spider that can analyze the site and build a query map.

To scan a user’s personal account it is necessary to log in to a browser with traffic redirection through Paros proxies enabled. The scanner will use authorized cookies during the scanning process. You can export your work report to HTML. It will be saved to the root/paros/session/LatestScannedReport.htm file and further rewritten. If you want to save the result of a previous scan, you should create a copy of an existing file before starting the next scan.

Basic features (looking back at OWASP TOP 10 2017):

  • A1: Injection – SQLinjection, SQLinjection Fingerprint (places where potentially SQLinj could be)
  • A6: Security Misconfiguration – Directory browsing, ISS default file, Tomcat source file disclosure, IBM WebSphere default files and some other standard or obsolete files (Obsolete file) containing the source code and so on.
  • A7: XSS

Additional possibilities:

    • Find enabled autofill for password forms. At the same time, if the input field has the attribute type=”password”, we get a false positive.
    • CRLF injection
    • Secure page browser cache (caching pages in a browser with important information)
    • The ability to scan a protected user area (personal account)
    • The ability to scan web applications on your local network


Final report for each type of vulnerability has more detailed information and some recommendations on how to fix it.


In our testing Paros showed rather weak results. On php.testsparker.com were found:

H: SQL injection


M: Outdated files with source code

M: Use autofill in forms with important information (passwords and so on).

L: Disclosure of internal IP

On premium.bgabank.com and less:

M: Directory browsing

M: Use autofill in forms with important information (passwords and so on).

As a result, although the Paros scanner is simple and easy to use, weak scanning results make you give up using it.


Paid multifunctional cloud scan, which can find large number of web vulnerabilities and almost completely covers OWASP TOP 10 2017.

Service has built-in web spider. If you specify authorization data (authorization request, login and password, authorized cookies) in scanning settings, scanner will also check your personal cabinet (zone of authorized user).

In addition to scanning web applications, Tenable.io is able to scan the network – both for known vulnerabilities and for host search. It is possible to connect agents to scan the internal network. It is possible to export the report in different formats: *.nessus, *.csv, *.db, *.pdf.

All “test” domains are in the screenshot.


Added scanning profiles. This article does not cover .

After scanning, statistics and prioritization of found vulnerabilities are available – critical, high, middle, low, information


The vulnerability card provides additional information about the vulnerability and some recommendations to address it.

Scan php.testsparker.com. Vulnerabilities with high priority:

H: component vulnerabilities

– unsupported version of PHP

– unsupported Apache version

H: Code injection

H: SQLinj



H: Path Traversal

Middle and low vulnerabilities

Now premium.bgabank.com. Vulnerabilities with high priority:

H: component vulnerabilities

  • released version of PHP
  • Apache vulnerabilities
  • Bootstrap vulnerabilities
  • JQuery vulnerabilities
  • Middle and low vulnerabilities

Scanner Tenable.io showed itself well, found many vulnerabilities. It is easy to work with intuitive graphical interface and data presentation. Another plus is the presence of additional scanning profiles, which we have decided not to bury ourselves in yet. An important feature is the cloud structure of the service. On the one hand, the service does not use local computing resources of the working computer. On the other hand, it will not be able to scan web applications in the local network.

Burp Suite Pro

Burp Suite is a comprehensive solution for web application checks. It includes a variety of utilities to improve and speed up the search for web application vulnerabilities.

The following utilities are included in Burp Suite:

  • Proxy is a proxy server that intercepts HTTP(S) traffic in man-in-the-middle mode. Located between the browser and the target web application, this utility allows you to intercept, examine, and modify traffic moving in both directions.
  • Spider is a web spider that automatically collects information about the content and functionality of the application (web resource).
  • Scanner (Burp Suite Pro only) – scanner for automatic search for vulnerabilities in web applications.
  • Intruder is a flexible utility that allows to perform various types of attacks in automatic mode. For example, searching for identifiers, collecting important information, etc.
  • Intruder is a flexible tool that allows you to automatically perform various types of attacks.
  • Repeater is a tool for manually modifying and resending individual HTTP requests as well as analyzing application responses.
  • Sequencer is a utility for analyzing random application data for the ability to predict their generation algorithm.
  • Decoder is a utility for manually or automatically encoding and decoding application data.
  • Comparer is a tool for finding visual differences between two data variations.
  • Extender is a tool for adding extensions to Burp Suite

The Scanner utility is presented in the tab of the main window of the Burp Suite program. The interface is English, but who can be scared away by it now?


The Issue Definition tab provides a complete list of all vulnerabilities that the scanner can detect. It should be noted that the list is quite impressive.

All vulnerabilities are divided into 3 categories: high, medium, low. There is also information category, which includes mechanisms of collecting various useful information about scanned resource.

When you start scanning in the Scan queue window we can observe the progress in stages. “Color differentiation of pants” is present.


The Options tab is used to make basic settings for scanning.

For convenience, the options are broken down into categories. If necessary, you can get help for each category right from the setup window.

In general, Burp Suite Pro showed good results. When scanning php.testsparker.com , enough vulnerabilities were found and classified to gain full control over the web application and its data – OS command injection, SSTI, and File path traversal.

Full Burp Suite Pro results on php.testsparker.com

On site premium.bgabank.com were found:

H: Cross-site scripting ()

M: SSL cookie without secure flag set

M: SSL certificate (not trusted or expired)

L: Cookie without HttpOnly flag set

L: Password field with autocomplete enabled

L: Strict transport security not enforced

If you often use Burp Suite for web-pentest, you like its ecosystem, but would like to somehow automate the process of searching for vulnerabilities, this utility will fit perfectly into your arsenal.


In conclusion, another very good commercial canner. It is very actively promoted through advertising, but Acutenix would not have succeeded without its extensive functionality. Among the vulnerabilities available to it are all kinds of SQL injection, Cross site scripting, CRLF injection and other joys of web application pentester. It’s worth mentioning that for high quality scanning you need to select the right profile.

Dashboard interface is nice:

All identified vulnerabilities are traditionally broken down into four categories: High, Medium, Low. And where to without Information category which includes all interesting data according to scanner’s opinion.



On the Scans tab, we can see the scanning progress and other diagnostic information.

Once the scan is complete on the Vulnerabilities tab, we can see what was found and in what quantity. Color differentiation in place.

In the test on php.testsparker.com the scanner showed a good result, but with premium.bgabank.com it pumped up quite frankly.

Full Acunetix results

Acunetix has great features and is suitable if you are looking for a stand-alone solution. The web interface is simple and clear, infographics and reports look quite understandable. Mistakes are possible when scanning, but as Tony Stark said: “This happens to men. It doesn’t happen often. One time out of five”.

General numbers

And now conclusions on all tested scanners.

    • We liked ZAP. Recommended for use.
    • W9scan, we recommend that you use it as an auxiliary tool to identify versions and services, as well as potential attack vectors
    • Wapiti does not reach OWASP ZAP, but it worked better than W9scan.
    • Arachni is just a master-have.
    • Paros scan is weak and we do not recommend it.
    • Tenable.io is good, finds many vulnerabilities. But you should consider that it is cloudy.
    • Burp Suite Pro we advise those who like the Burp Suite ecosystem but lack automation.

Acunetix is suitable for those looking for a scanner as a stand-alone application.



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: