sqlmap
Automatic SQL injection and database takeover helper with fingerprinting, data exfiltration, and OS-shell paths.
Why it is included
Standard open tool for demonstrating and fixing SQLi in sanctioned tests.
Best for
Web pentesters validating injection classes after scope approval.
Strengths
- Deep DB support
- Tamper scripts
- Enumeration depth
Limitations
- Illegal and unethical outside written authorization
Good alternatives
OWASP ZAP · Manual validation
Related tools
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Security & Privacy
Dalfox
XSS parameter analyzer and reflected/stored/DOM-focused fuzzer with mining and pipeline modes.
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.
Security & Privacy
ffuf
Fast web fuzzer for directories, virtual hosts, parameters, and raw HTTP—common in bug bounty playbooks.
Security & Privacy
Gobuster
Go-based directory/DNS/vhost brute-forcer with threading tuned for pentest wordlists.
Security & Privacy
feroxbuster
Recursive content discovery written in Rust with intelligent filtering and replay-friendly output.