Skip to content

Vulnerability Scanning Tools

Template-Based Scanning

Nuclei

GitHub: projectdiscovery/nuclei Purpose: Template-based vulnerability scanner with 9000+ templates

Detects known vulnerabilities, misconfigurations, and exposures using YAML-based templates.

docker run --rm -v $(pwd):/work pentest-tools \
  nuclei -l targets.txt \
  -t nuclei/cves/ \
  -t nuclei/exposures/ \
  -severity critical,high \
  -o results.json

Coverage: - CVEs (Log4j RCE, Spring4Shell, Struts2, etc.) - Misconfigurations (open S3, exposed dashboards) - Default credentials (admin/admin, admin/password) - HTTP headers (missing HSTS, CSP, X-Frame-Options)

Template Categories: - cves/ — Known CVEs - exposures/ — Information disclosure - misconfigurations/ — Security misconfig - default-logins/ — Default credentials - fuzzing/ — Directory fuzzing templates

Speed: 1000s of requests/minute Accuracy: Very high (official templates)

Nuclei Templates

Pre-built template categories:

High Priority: - nuclei/cves/ — Critical CVEs only - nuclei/exposures/ — .env, package.json, git repos, API keys - nuclei/default-logins/ — Default admin/password combos

Medium Priority: - nuclei/misconfigurations/ — Security misconfiguration - nuclei/fuzzing/ — Directory and file discovery

Update Templates: 

nuclei -update-templates

Web Server Scanner

Nikto

GitHub: sullo/nikto Purpose: Classic web server vulnerability scanner

Comprehensive server-level vulnerability assessment.

docker run --rm -v $(pwd):/work pentest-tools \
  nikto -h https://example.com -Format json -output results.json

Checks: - Outdated server software - Dangerous HTTP methods (TRACE, PUT) - Missing security headers - SSL/TLS weaknesses - CORS misconfiguration - Clickjacking vulnerability

Coverage: - Apache, IIS, Nginx, lighttpd, etc. - Web application platforms - Custom server implementations

Output: HTML or JSON

Specialized Scanners

SQLMap

GitHub: sqlmapproject/sqlmap Purpose: Automated SQL injection detection and exploitation

Identifies SQL injection with 7+ detection techniques (boolean-based, time-based, union-based, etc.).

docker run --rm -v $(pwd):/work pentest-tools \
  sqlmap -u "https://example.com/page?id=1" \
  --dbs

Capabilities: - Automatic payload generation - Database enumeration - User credential extraction - File reading (if DB has permissions)

Use Case: Verification phase for SQLi findings

Dalfox

GitHub: hahwul/dalfox Purpose: XSS scanner with advanced filtering

Detects and verifies XSS vulnerabilities.

docker run --rm -v $(pwd):/work pentest-tools \
  dalfox url "https://example.com/page?text=INPUT"

Features: - Payload generation (100+ XSS payloads) - False positive filtering - PoC generation

SSRFMAP

GitHub: swisskyrepo/ssrfmap Purpose: SSRF attack payload generator and testing

Generates SSRF payloads for various protocols.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 ssrfmap.py \
  -u "https://example.com/fetch?url=PAYLOAD"

Protocols: HTTP, file://, ftp://, dict://, gopher://, etc.

Commix

GitHub: commixproject/commix Purpose: OS command injection detection and exploitation

Automated CMDi payload generation with 8+ injection syntaxes.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 commix.py \
  -u "https://example.com/ping?host=PAYLOAD"

Injection Syntaxes: - ;command — Command chaining - |command — Pipe - $(command) — Command substitution - `command` — Backtick substitution - &&command — AND operator - &command — Background execution

Arjun

GitHub: s0md3v/Arjun Purpose: HTTP parameter discovery

Discover hidden parameters on endpoints.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 arjun.py \
  -u "https://example.com/api/users"

Parameters Tested: - sort, order, filter, search, q - page, limit, offset - role, admin, is_admin - debug, verbose, test - Hundreds more...

NOMORE403

GitHub: devploit/nomore403 Purpose: 403 Forbidden bypass techniques

40+ techniques to bypass 403 access denied responses.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 nomore403.py \
  -u "https://example.com/admin"

Techniques: - HTTP method override (X-Original-Method) - Host header manipulation - Path normalization - Protocol switching (HTTP/2, CONNECT) - Header injection

LLM & AI-Powered Scanning

Garak

GitHub: leondz/garak Purpose: LLM vulnerability scanner (prompt injection, jailbreaking, etc.)

Scans AI/ML systems for security issues.

docker run --rm -v $(pwd):/work pentest-tools \
  garak --model_type rest \
  --endpoint "https://api.example.com/ai" \
  --probe_limit 100

Probe Categories (20+): - Prompt injection - Token smuggling - Jailbreaking attempts - Input validation bypass - Model confusion attacks

Summary Table

Tool Purpose Accuracy Speed
Nuclei Template scanning Very High Very Fast
Nikto Web server audit High Medium
SQLMap SQLi verification High Slow
Dalfox XSS verification High Medium
Commix CMDi verification High Medium
SSRFMAP SSRF payloads Medium Fast
Arjun Parameter discovery High Slow
NOMORE403 403 bypass Medium Fast
Garak LLM testing High Slow