OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Why it is included
Mature, community-backed alternative to proprietary DAST for developers and pentesters.
Best for
Web app assessments, DevSecOps gates, and manual intercept/replay testing.
Strengths
- Active OWASP stewardship
- Addons
- API and daemon modes
Limitations
- Coverage depends on config; not a substitute for manual review
Good alternatives
Burp Suite (proprietary) · sqlmap (SQL focus)
Related tools
Security & Privacy
sqlmap
Automatic SQL injection and database takeover helper with fingerprinting, data exfiltration, and OS-shell paths.
Security & Privacy
Nuclei
Fast vulnerability scanner driven by YAML templates—used for recon, misconfigs, CVEs, and custom checks at scale.
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.
Security & Privacy
OWASP Amass
Attack surface mapping engine: DNS, certificates, APIs, scraping, and graphing for deep asset discovery.
Security & Privacy
ffuf
Fast web fuzzer for directories, virtual hosts, parameters, and raw HTTP—common in bug bounty playbooks.
Security & Privacy
Gobuster
Go-based directory/DNS/vhost brute-forcer with threading tuned for pentest wordlists.