The open-source alternative to Burp Suite + OWASP ZAP. Scan any website for OWASP Top 10 vulnerabilities and get a beautiful report — in seconds.
CrabGuard covers the OWASP Top 10 out of the box — passive scanning is free forever, active scanning is Pro.
Checks CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP and more. Flags missing or misconfigured headers with exact fix snippets.
Detects session cookies missing HttpOnly, Secure, or SameSite flags. Flags sensitive cookie names exposed to JavaScript.
Validates SSL certificate expiry, hostname match, HSTS preload, and cipher quality. Alerts you before certs expire.
Catches mixed content, missing SRI on CDN scripts, vulnerable JS libraries (jQuery, Bootstrap, Lodash), and CSRF gaps in forms.
Error-based and time-based blind SQLi detection across all URL parameters. Covers 8 payload variants per parameter.
Injects XSS canary payloads and checks if they reflect in the response — catches the most common XSS attack vector.
Probes 48 sensitive paths: .env, .git/config, wp-config.php, swagger docs, Spring Actuator, phpinfo and more.
Tests URL parameters for Server-Side Request Forgery — probes AWS and GCP metadata endpoints, localhost, and internal IPs.
Score ring, OWASP Top 10 grid, per-category findings with remediation snippets. HTML free, PDF + white-label on Pro.
Drop-in CLI, Python API, JSON output for CI/CD, and proxy support for Burp Suite integration.
The passive scanner is open-source and free forever. Pro unlocks active scanning and PDF reports.
Open-source. No account needed.
For developers and security teams. Or $199/year (save 43%).
For security teams and consultancies.
Free. No account. No credit card.