We help IT Professionals succeed at work.

Are there any free tools similar to AppScan

sunilramu asked
Last Modified: 2008-01-09
Are there any free tools similar to AppScan?
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
You can't go past Microsoft's very own Microsoft Baseline Security Analyzer (MBSA) 2.0:

Rich RumbleSecurity Samurai
Top Expert 2006

additional to the above:

there're some more open source (but it sems that you're looking for comercial ones:)

Keep in mind that they all have their pros and cons, and none of them is realy good (compaired to humans), except for detecting know vulnerabilities.
oops, missed to read the title proper: free tools

http://www.foundstone.com/ FoundScan

but most of them are far, far away from the quality of AppScan, ScanDo, WebInspect, etc. ...

Paros (http://www.parosproxy.org/index.shtml) is another Web Application scanner I've used in the past.

You might also want to look at Nikto (http://www.cirt.net/code/nikto.shtml), an Open Source web server scanner.

Hi sunilramu

If you want to try a wide variety of tools try one of the Linux live distros that run from a CD such as backtrack (http://www.remote-exploit.org/index.php/BackTrack) of knoppix etc - these provide an easy ready to go way of trying a variety of open source tools such as the above mentioned Nikto, Wikto, metaspliot, nessus, nmap, etc etc without actually having to install anything.

Not free (in fact fairly expensive...) but I have tested core impact and it is a very impressive product.

If you have any specific applications (e.g. web sites, DB servers etc) you want to test against it may be worth adding this detail so the replies to your question can be more specific - obviously this isn't relevant if you are looking for general tools to test a variety of systems.




Hi all,
Tried Paros and Burp, works well couldnt get Oedipus to work it says cannot create ouput folder ...when i tried to run the analyzer. My question is what can AppScan or Oedipus  do which Burp and Paros cannot.

thanks for all your responses.


One thing i forgot to mention i am testing in windows environment.

Hi Sunilramu

The Linux based tools can all be used to scan windows based apps / websites - I would definitely recommend you try a live CD such as backtrack - you can boot into this on a desktop, when you are finished remove the CD, re-boot and your windows desktop will be untouched...

With regards to the applications you specifically mention these two links may be useful:

brief overview of several tools:

more detailed examination of the tools you highlight and some others:


Burp and Paros are mainly proxies, well some fuzzing facilities added.
AppScan is a full featured scanner with a huge (most complete) database for known vulnerabilities and a huge list of files and directories to check. It also can analyze the website after crawling before it start testing. AppScan also tries to detect the web server and the OS, so it can check for related flaws only.

Disclaimer: I'm not related to Sanctum/Watchfire anyhow ;-)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.