Input Vector Support - Web Application Scanners:
The current information is based on the results of the *2011* benchmark (excpet for entries marked as updated or new )

Note: The content in this page is *incomplete* since the research is still in progress - the various scanners might support additional vectors.

Last updated: 27/08/2012
Sorted in a descending order according to the scanner's number of supported input vectors and the scanner name .
Hint: hover over the marks and titles to get additional information on the various features.
Note: the information refers to the ability of the scanners to scan the input vector, not simply to interpret it.
Glossary
Unified List   Commercial Scanners   Free / Open Source Scanners


#
LogoVulnerability Scanner
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
1
IronWASP10
2
Acunetix WVS Free Edition5
3
W3AF5
4
arachni4
5
SkipFish4
6
SQLiX4
7
sqlmap4
8
XSSer4
9
safe3wvs (limited free edition)3
10
Vega3
#
LogoVulnerability Scanner
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
11
WebCruiser Free Edition3
12
Andiparos2
13
Gamja2
14
Grabber2
15
Grendel Scan2
16
Mini MySqlat0r2
17
Netsparker Community Edition2
18
N-Stalker 2009 Free Edition2
19
Oedipus2
20
openAcunetix2
#
LogoVulnerability Scanner
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
21
Paros Proxy2
22
PowerFuzzer2
23
ProxyStrike2
24
Sandcat Free Edition2
25
ScreamingCSS2
26
Secubat2
27
Syhunt Mini (Sandcat Mini)2
28
Uber Web Security Scanner2
29
VulnDetector2
30
Wapiti2
#
LogoVulnerability Scanner
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
31
Watobo2
32
WebScarab2
33
WebSecurify (Opensource Version)2
34
WSTool2
35
Xcobra2
36
XSSploit2
37
XSSS2
38
ZAP2
39
aidSQL1
40
crawlfish1
#
LogoVulnerability Scanner
C
O
U
N
T
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
41
Damn Small SQLi Scanner (DSSS)1
42
iScan1
43
JSky Free Edition1
44
LoverBoy1
45
N-Stalker 2012 Free Edition1
46
Priamos1
47
Scrawlr1
48
SQID (SQL Injection Digger)1
49
Web Injection Scanner (WIS)1


Statistics
#
G
E
T
P
O
S
T
C
O
O
K
I
E
H
E
A
D
E
R
S
E
C
R
E
T
P
N
a
m
e
X
M
L
X
m
l
A
T
T
X
m
l
T
A
G
J
S
O
N
.
N
e
t
E
N
C
A
M
F
J
a
v
a
S
E
R
.
N
e
t
S
E
R
W
C
F
W
C
F
-
B
i
n
W
e
b
S
o
c
k
D
W
R
C
u
s
t
o
m
Scanners:4938109021112000000001



Glossary
AliasGeneral FeatureDescriptionReferences
GETHTTP Query String ParametersInput parameters sent in the URL1
POSTHTTP Body ParametersInput parameters sent in the HTTP body1
COOKIEHTTP Cookie ParametersInput parameters sent in the HTTP cookie1
HEADERHTTP HeadersHTTP request headers used by the application1
SECRETSecret HTTP ParametersNon-visible valid HTTP parameters (such as GET to POST, etc)
PNameHTTP Parameter NamesHTTP parameter names used by the application
XMLXML Element ContentThe content of XML elements1
XmlATTXML AttributesXML attributes1
XmlTAGXML TagsThe names of XML tags1
JSONJSON ParametersParameters sent in JSON format1
.NetENC.Net PostBack Encoded ParametersParameters sent after undergoing .net PostBack encoding1
AMFFlash Action Message FormatParameters sent in Flash AMF format1
JavaSERJava Serialized ObjectsParameters sent within Java serialized objects1
.NetSER.Net Serialized Objects / RemotingParameters sent within .Net serialized objects / remoting1
WCF.Net WCF ObjectsParameters sent in WCF requests1
WCF-Bin.Net Binary WCF ObjectsParameters sent in binary WCF requests1
WebSockHTML5 WebSocketsDirect Socket Browser-Server Communication1
DWRJava Direct Web RemotingParameters sent in DWR format1
CustomCustom Input VectorSupport for defining custom input vectors in the HTTP request



Copyright © 2012 by Shay Chen (sectooladdict). All rights reserved.
Click here to learn how this information may be published or reused.