Whisker is a CGI scanner with impressive features that makes it much better than most CGI scanners.
Whisker includes the following features:
1) The CGI directory can be pre-defined from the default '/cgi-bin', to your own choosing, or a set of well-known CGI paths.
2) Before checking for vulnerability Whisker will verify that the CGI directory exists, and that the CGI itself exists, reducing the number of false positives.
3) The server type and version is checked prior to any testing, reducing checks for unsupported CGIs (i.e. test for details.idc vulnerability on an Apache server is futile, since this is an IIS vulnerability).
4) Virtual Hosting is fully supported, allowing Whisker to test vulnerabilities against sub-domains within the same server (a feature not supported by all CGI scanners).
5) Whisker can be taught to see through custom made "success" pages, which are usually a result of "not found" errors (this minimizes false positives).
6) Whisker was written in Perl for easy portability and manipulation.
7) Interoperability between products/files such as command separated files, nmap result file, IP subnets and etc.
8) URL encoding that hides scans from IDS programs, something like '/cgi-bin/phf?' is requested by its mime encoding equivalent: '/%63%67%69%2d%62%69%6e/%66%69%6e%67%65%72' which causes most IDS programs to not detect the scan.
9) Support for a script language that enables people to easily add new scanning scripts.