# Web security pentest tools
## HTTP Proxy
* Burp Suite - https://portswigger.net/burp
* OWASP Zap - https://www.zaproxy.org/
* Charles - https://www.charlesproxy.com/
* mitmproxy - https://mitmproxy.org/
## Web Vurl scanners
* Nikto - https://github.com/sullo/nikto
* w3af - https://github.com/andresriancho/w3af
* Skipfish - https://github.com/spinkham/skipfish
## Vurl scanners
* Nessus - https://www.tenable.com/products/nessus
* OpenVAS - https://www.openvas.org/
* Qualys - https://www.qualys.com/
## SQLi
* SQLMap - https://sqlmap.org/
* sqlninja - https://sqlninja.sourceforge.net/
* BBQSQL - https://github.com/CiscoCXSecurity/bbqsql
## XML injection
* xxeploiter - https://github.com/luisfontes19/xxexploiter
* XCat - https://github.com/orf/xcat
## XSS
* XSStrike - https://github.com/s0md3v/XSStrike
* XSSer - https://github.com/epsylon/xsser
* XSS-Sniper - https://github.com/gbrindisi/xsssniper
* XSSMe - https://github.com/SecurityCompass/XSSMe
## Fuzzer
* Wfuzz - https://github.com/xmendez/wfuzz
* Fuff - https://github.com/ffuf/ffuf
* GoBuster - https://github.com/OJ/gobuster
## Recon
* DNSEnum - https://www.kali.org/tools/dnsenum/
* Fierce - https://github.com/mschwager/fierce
* DNSRecon - https://github.com/darkoperator/dnsrecon
* theHarvester - https://github.com/laramies/theHarvester
* Maltego - https://www.maltego.com/
* Recon-ng - https://github.com/lanmaster53/recon-ng
* WhatWeb - https://github.com/urbanadventurer/WhatWeb
* Shodan - https://www.shodan.io/
* Censys - https://search.censys.io/
* Google dorks
## SSL/TLS scanner
* SSLyze - https://github.com/nabla-c0d3/sslyze
* sslscan2 - https://github.com/rbsec/sslscan
## PwnTool
* Metasploit - https://www.metasploit.com/
* Armitage GUI - https://www.offsec.com/metasploit-unleashed/armitage/
## Browser plug-ins
* Wappalyzer - https://www.wappalyzer.com
* FoxyProxy - https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
https://chromewebstore.google.com/detail/foxyproxy/gcknhkkoolaabfmlnjonogaaifnjlfnp
* retire.js - https://github.com/RetireJS/retire.js
* Down-Them-All -
## Exploits
* ExploitDB - https://www.exploit-db.com/
# Pentest phase categorisation
### Pre-Engagement Phase:
Browser plug-ins:
Wappalyzer
FoxyProxy
retire.js
### Reconnaissance/Information Gathering:
Recon:
DNSEnum
Fierce
DNSRecon
theHarvester
Maltego
Recon-ng
WhatWeb
Google dorks
Shodan
Censys
### Vulnerability Analysis:
Web Vulnerability Scanners:
Nikto
w3af
Skipfish
Vurl Scanners:
Nessus
OpenVAS
Qualys
Fuzzer:
Wfuzz
Fuff
GoBuster
SSL/TLS Scanner:
SSLyze
sslscan2
### Exploitation:
HTTP Proxy:
Burp Suite
OWASP Zap
Charles
mitmproxy
SQLi:
SQLMap
sqlninja
BBQSQL
XML Injection:
xxeploiter
XCat
XSS:
XSStrike
XSSer
XSS-Sniper
XSSMe
PwnTool:
Metasploit
Armitage GUI
### Exploits:
Exploit:
ExploitDB
### Miscellaneous:
Browser plug-ins:
Wappalyzer
FoxyProxy
retire.js
Exploits:
ExploitDB
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet