DefenseCode is giving away a Community Edition of their Web Security Scanner 2.0 free of charge for personal and non-commercial use.
DefenseCode Web Security Scanner is a DAST (Dynamic Application Security Testing) product for testing security of live web sites and web applications. All security scanning and vulnerability detection features available in the full version of the scanner are also available in the Community Edition. There are no limitations in vulnerability detection.
You will be able to scan for SQL Injection, Blind SQL Injection, Cross Site Scripting, Command Execution, Path Traversal, Code Injection, HTTP Response Splitting and 50 other vulnerability types including OWASP TOP 10 and thousands of CVE described vulnerabilities. Moreover, the scanner will even detect if there is a some sort of WAF (Web Application Firewall) in front of the web site that you are scanning.
Although the scanner can be used as click-and-run tool, it is also easily configured for advanced security testing. You can configure a number of collected links, depth of scan, number of threads, custom 404 pages, scanning exclusions, vulnerability types that you want to scan for and many more.
Beside straightforward security scans, there is also a possibility to set post-authentication web security scanning. DefenseCode Web Security Scanner supports web based authentication with Basic, digest and NTLM authentication, client SSL cert authentication, custom cookie authentication and complete authentication process recorder for HTML form based authentication. Within the scanner there is also an HTTP proxy incorporated for recording much more complicated login procedures.
Along with the web security scanning capabilities there are also additional security tools like HTTP Request Composer, Authentication Tester, URL Fuzzer and Authentication Recorder.