Web Application Security Scanners (or Web Application Vulnerability Scanners) are tools designed to automatically scan web applications for vulnerabilities. These tools work as black-box analyzer; meaning that, unlike Source Code Scanners, they don't access the source code and then, need to detect the vulnerabilities by performing attacks.

The web application security scanner is not a perfect tool, it has strength and weaknesses.

• Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself.
• It is really hard for a tool to find lots of logical flaws such as the use of weak cryptographic functions
• Even for technical flaws, if the application doesn't give enough clue, the tool cannot catch it
• The tool cannot implement all variants of type of attacks for all vulnerabilities, this would take too long time to launch every attacks

• The tool is able to analyze the finalize product
• It simulate a real attacker by performing attack and try to probe what vulnerabilities are beside the result
• As a dynamic tool, it is not language dependent. A web application scanner is able to scan a JSP, PHP or whatever application with the same engine.

• Acunetix WVS by Acunetix
• AppScan by Watchfire, Inc.
• Hailstorm by Cenzic
• N-Stealth by N-Stalker
• NTOSpider by NTObjectives
• WebInspect by SPI Dynamics
• WebKing by Parasoft

• Grabber by Romain Gaucher
• Pantera by Simon Roses Femerling (OWASP Project)
• Paros by Chinotec
• Spike Proxy by Immunity (Now as OWASP Pantera)
• TestMaker by Pushtotest
• W3AF by Andres Riancho
• Wapiti by Nicolas Surribas
• WebScarab by Rogan Dawes of Aspect Security (OWASP Project)