A web application security scanner is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.

These tools work as black-box tester; meaning that, unlike Source Code Scanners, they don't access the source code and then, need to detect the vulnerabilities by performing attacks.

Like every testing tools, the web application security scanner is not a perfect tool, it has strength and weaknesses.

• Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself.
• It is really hard for a tool to find lots of logical flaws such as the use of weak cryptographic functions
• Even for technical flaws, if the application doesn't give enough clue, the tool cannot catch it
• The tool cannot implement all variants of type of attacks for all vulnerabilities, this would take too long time to launch every attacks
• The tools usually have a bad rate of false-positive but it's mainly due to the testing method itself

• The tool is able to analyze the finalize product and to have a full view of the system
• It simulate a real attacker by performing attack and try to probe what vulnerabilities are beside the result
• As a dynamic testing tool, it is not language dependent. A web application scanner is able to scan a JSP, PHP or whatever web application with the same engine.

• Acunetix WVS by Acunetix
• AppScan by Watchfire, Inc. (Purchased by IBM)
• N-Stealth/N-Stalker by N-Stalker
• Hailstorm by Cenzic
• WebInspect by SPI Dynamics (Purchased by HP)
• NTOSpider by NTObjectives

• Grabber by Romain Gaucher
• Pantera by Simon Roses Femerling (OWASP Project)
• Paros by Chinotec
• Spike Proxy by Immunity (Now as OWASP Pantera)
• TestMaker by Pushtotest
• W3AF by Andres Riancho
• Wapiti by Nicolas Surribas
• WebScarab by Rogan Dawes of Aspect Security (OWASP Project)
• N-Stalker Free Edition by N-Stalker