or new
)
| Logo | Vulnerability Scanner | C O U N T | WebServer Hardening | CGI Scanning | Dir & File Enumeration | Passive Analysis | Additional Features | ||
 | IBM AppScan | 30 |  | | | | The Session Id Analysis is implemented within Appscan Powertools, Null Byte, Parameter Tampering (eShopLifting, Debug Mode, Boolean Parameters), Range Restriction Bypass, HTML5 Attacks (HTML5 SQLi, Client Command Execution, Client Side Open Redirect), Flash Specific Attacks (XSF, XSS via Flash, Flash Permissions, Phishing via Flash), XML Specific Attacks (XXE - XML External Entity, SOAP Array Overflow), Account Lockout, Floating Point DoS, Code Injection (Perl, Partial PHP) | ||
 | Acunetix WVS | | 29 | | | | | CVE Specific Buffer Overflows, CVE Specific Privilege Escalation, Mass Assignment (Rails), Expression Language Injection (EL Injection), Http Parameter Pollution (HPP), Mongo DB & node.js SSJS Injection Support, SQLi & RXSS In URI, Fuzzer, Code Injection (PHP/ASP), Reverse Proxy Bypass, File Tampering, Server-Specific audit policies, a large number of CGI detection modules, Numerous general & tech-specific passive analysis features, Network scanning features, Detection of Stored XSS, SQLi, File Inclusion, Directory Traversal, Code Execution, File GTampering and PHP Code Execution (Most Stored Detection Features are Unique!). | |
 | WebInspect | 29 | | | | | Partial URL Input Vector Support (Cross Site Scripting), Partial LDAP Injection (Error/Query Detection) & Xpath Injection support, HTML Injection, Parameter Manipulations, Flash Attacks (XSS via Flash, Flash Analysis, Information Disclosure), Web Service Attacks, Numerous Product Specific Plugins, Java Double Parsing DoS, External Session Id Complexity Analysis via the Cookie Cruncher feature. | ||
 | Tinfoil Security | 24 | | | | | Heartbleed, YAML Injection (RoR), Shellshock, WebDAV features, POODLE, HTTP PUT, Directory Listing, CVS/SVN Code Disclosure, Clickjacking, Various Passive Analysis Features. According to the vendor Session Fixation is only available to enterprise customers. ADoS refers to XML DoS variations being performed as a part of XXE. | ||
 | Burp Suite Professional | | 23 | | | | | Header Manipulation, Stored DOM Injection, Server Side Template Injection, Clickjacking, Dir/File enumeration via the discover content feature in the sitemap. | |
 | AppSpider | 19 | |  | | | SSL Strength, Credential Brute Force / Dictionary Attacks (Form/Http), Business Logic Abuse Attacks, XST, Directory Indexing, Parameter Analysis, Basic flash/java analysis, Malicious frame/script analysis, Java Grinder, Reverse Proxy. | ||
 | Netsparker Cloud | 18 | | | | | RFD (Rare!), Form/Basetag Hijacking, User/Pass Bruteforce, Insecure JSONP, Content Spoofing, Malicious File Upload, Remote Code Evaluation (ASP,PHP,Perl), RoR YAML Injection, HTTP and WebDAV Methods, SSL Checks, Heartbleed, HTTP.sys, HSTS Bypass, Admin Interfaces, Source Code Disclosure (PHP), Insecure CORS configuration. | ||
| Netsparker | 18 | | | | | RFD (Rare!), Form/Basetag Hijacking, User/Pass Bruteforce, Insecure JSONP, Content Spoofing, Malicious File Upload, Remote Code Evaluation (ASP,PHP,Perl), RoR YAML Injection, HTTP and WebDAV Methods, SSL Checks, Heartbleed, HTTP.sys, HSTS Bypass, Admin Interfaces, Source Code Disclosure (PHP), Insecure CORS configuration. | ||
 | QualysGuard WAS | 16 | | | | | Flash XSS, Clickjacking, NullByte Poisoning, Generic Vulnerabilities, Numerous Passive Analysis, Hardening and vulnerable-CGI plugins, Network Scanning Features, password bruteforcing. Generic application plugins classified as either web application or web server plugins. | ||
 | Syhunt Dynamic | 16 | | | | | NoSQL (SSJS) Injection, Parameter Tampering, Code Injection (PHP) and various other checks and features. | ||
| Logo | Vulnerability Scanner | C O U N T | WebServer Hardening | CGI Scanning | Dir & File Enumeration | Passive Analysis | Additional Features | ||
 | JSky (Commercial Edition) | 13 | | | | | Captcha Cracker (Unique!). | ||
 | N-Stalker | 10 | | | | | WebDAV (PUT), SSL Scanning, Insecure crossdomain.xml and clientaccesspolicy.xml policies, Insecure cookies, HPP, Clickjacking, Incorrect error handling, path disclosure, Remote Execution (Shellshock) | ||
 | Ammonite | 9 | | | | | Limited PXSS Detection, Identifier Enumeration, Unpublished Content Discovery. Passive Detection Features: Cleartext CC#s in Responses, Hidden Form Fields in Responses, HTML Comments in Responses, HTTP/500 Errors in Responses, Verbose Errors in Responses. | ||
 | ParosPro | 8 | | | | | Parameter Tampering, Potential File Path Manipulation (Covers some Traversal/LFI cases, without actual verification). | ||
| WebCruiser Enterprise Edition | 4 | | | | | Injection features support MSSQL, MySQL, Oracle, DB2 and MS Access.. |
| WebServer Hardening | CGI Scanning | DirAndFile Enumeration | Passive Analysis | |
| Scanners: | 13 | 13 | 11 | 13 |
| Alias | General Feature | Description | References |
| Web Server Hardening | Insecure Server Configuration | Insecure Web Server / Application Server Configuration (Admin Interfaces, Permissions, Etc) | 1, 2, 3, 4 |
| CGI Scanning | Insecure CGI Modules Detection | Detect Well-Known Issues and Insecure/Obsolete/Default Components | 1, 2 |
| Dir & File Enumeration | Directory & Files Enumeration | Detect Well-Known / Hidden Files and Directories Using Spiders and Dictionary Attacks | 1, 2 |
| Passive Analysis | Passive Analysis of Security Issues | Detect Security Issues Without any Active Tests (Caching, Autocomplete, Info Leakage, Etc) |