If you’re looking for a great open-source vulnerability scanner you can do a lot worse than OWASP ZAP.
All features are free unlike the likes of BurpSuite and it is under active development unlike Arachni. There is a good community who provide custom scripts available on github. It comes as part of Kali and will also run on windows.
Once you start Zaproxy you configure a port to run on under local proxy in settings then point your browser to it under its proxy settings. Then start browsing and watch your browsing traffic appear.
As you can see from the screenshot above Zaproxy starts working through the pages and showing alerts immediately.
Clicking on the Alerts tab allows you to drill into the types of alerts, which pages it was discovered on and detailed information such as the exact section of a page which triggered the alert. It will take you some time for you to wrap your head around which alerts are important and which are most likely false positives or extremely low.
There are many scripts and free marketplace add-ons you can enable to have their various tests performed when you are browsing.
Not only can you scan your regular browsing but with a single right click you can spider (vulnerability test) all the detectable pages on a website or perform an attack (penetration test).
On top of all this it has a fairly handy API and a Heads Up Display (HUD) which can update your live browsing showing alerts on the webpage and making items such as hidden fields visible!
All in all – give it a try and you wont regret it.
