What tools do you use for Security testing of web applications? [closed]

StackOverflow https://stackoverflow.com/questions/112687

Question

Are there any tool you recommend for security testing of web applications?

I have used WebScarab from OWASP, but find it a bit difficult and unwieldy to use.

Is there anything else better you would suggest using?

Was it helpful?

Solution

Instead of WebScarab, try Fiddler proxy (http://www.fiddlertool.com). A lot more comfortable.

Other than that, "security testing" is a very wide term.
At the very least, you have:

  • Penetration testing - I use Appscan, many others.
  • Source Code Review / Static Analysis - Fortify is considered one of the best, I fell in love with Checkmarx (but it requires a security guy)... More information on your specific technology/language would help give you more targeted answers.
  • There are other types of "security testing", but I'm not familiar with other automatic tools for those types.
  • Pursuant to the last point, and more advanced testing of the first two types (PT/CR), manual testing by an expert is really the best (if not the most cost-effective).

OTHER TIPS

HP has an app to test for SQL injections called Scrawlr.

Scrawlr

Fortify has done well for us.

http://www.fortify.com/

I work for a company that does web app penetration testing as part of it's business. We use many different tools. Some are one off tools in Ruby for specific projects, or in house developed frameworks or proxies (again Ruby). Most of our web app penetration testing is done using webscarab, burpsuite or paros proxy. They all have some sort of logging functionality, a decent amount of power and a drawback or two.

I've actually found webscarab to be the easiest to use. But, it doesn't handle VIEWSTATE or do much for searching. We've actually found data in VIEWSTATE that shouldn't be there, so whenever we see them we tend to switch to a different proxy. Burpsuite is my next choice. It does handle VIEWSTATE but the interface takes a lot of getting used to and its output while technically more complete - it keeps the original and modified requests/responses - is harder to use.

Unfortunately, the answer to you question is slightly more complicated than just a good proxy. There is more to it than just picking up a proxy or a scanner and letting them run. A person has to verify anything the tool finds and there are somethings nothing short of a person will find.

tqbf has a good explanation of this here.

I use Nikto.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

This list could also help: Top 10 Web Vulnerability Scanners

These are all for pen testing web apps

  1. curl - commandline tool to explore
  2. nikto/wikto - scanner for vulns
  3. w3af - Have heard great things haven't tried it much
  4. sqlmap - automated sql injection
  5. WebDeveloper and firebug - firefox extensions
  6. Twill and Selenium with your own test cases http://ha.ckers.org/xss.html

I'd suggest using manual inspection with simple string search tools like findstr. Here is a great resource of manual security inspection for asp.net: http://msdn.microsoft.com/en-us/library/ms998364.aspx Or you can jump straight to the security questions that guide your way to finding security vulnerabilities: http://msdn.microsoft.com/en-us/library/ms998375.aspx I've got a summary of string search techniques here: http://blogs.msdn.com/ace_team/archive/2008/07/24/security-code-review-string-search-patterns-for-finding-vulnerabilities-in-asp-net-web-application.aspx

You can use Paros or Netsparker for Security testing. The following URL can help to find some Security testing tools:

http://www.webresourcesdepot.com/10-free-web-application-security-testing-tools/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top