What tools are available to assess the security of a web application?
Please provide a small description of what the tool does.
Update: More specifically, I'm looking for tools that assume no access to the source code (black box).
What tools are available to assess the security of a web application?
Please provide a small description of what the tool does.
Update: More specifically, I'm looking for tools that assume no access to the source code (black box).
there's a large number of apps that can be used in web application assessments. One thing to consider is what kind of tool you're looking for. Some of them are better used alongside a manual test, where others are more designed for non-security specialist IT staff as more "black box" scanning tools.
On top of that there's a huge range of scripts and point tools that can be used to assess specific areas of web application security.
Some of my favorites
Burp suite - http://www.portswigger.net . Free and commercial tool. Excellent adjunct to manual testing and has a good scanner capability as well. Of professional web application testers I know, most use this.
W3af - http://w3af.org/ - Open source scanning tool, seems to be developing quite a bit at the moment, primarily focuses on the automated scanning side of things, is still requires quite a bit of knowledge to use effectively.
On the pure scanning side there's a number of commercial tools available.
Netsparker - http://www.mavitunasecurity.com/netsparker/
IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
HP WebInspect - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__
Cenzic Hailstorm - http://www.cenzic.com/products/cenzic-hailstormPro/
Acunetix WVS - http://www.acunetix.com/vulnerability-scanner/
NTObjectives NTOSpider - http://www.ntobjectives.com/ntospider
My preferred tool bag to do a black box web app pen. test is currently:
The above tools require some familiarity to wield at full power and are best used in a semi-automated way (e.g. choose a specific web form you want to test, setup "attack" runs, then review the results and pinpoint vulnerabilities or points to test more)
Fully automated scanners to catch low hanging fruit and to get breadth in test coverage:
Maybe AppScan or WebInpsect if I have access to a license (these tools are expensive)
It's difficult to keep this list up-to-date. In my opinion -- this is a BAD QUESTION.
The correct question should be "What techniques are available to asses the security of a web application, how are they commonly implemented, and how do you keep up on the latest improvements to both the techniques and their implementations?"
For example, better tools are already available since these answers were put forward: Hatkit, WATOBO, Arachni's web interface, et al.
The primary problem with commercial tools is their lack of ability to innovate and improve. At this point -- almost all commercial products in the web application security space have been stunted by patent wars and loss of individual and social capital. When was the last time you saw a COMMUNITY around an app scanner, app firewall, or security-focused static analysis PRODUCT/SERVICE? The correct answer, yes, is "NEVER". The battle is for free (and/or open-source) tools to try to innovate past the 2004 barrier put forward by these idiotic and non-forward-looking no-talent-clowns that staffed the app scanner, app firewall, and security-focused static analysis companies that are mostly now defunct.
Literally, as seen in the 1.4beta of Burp Suite Professional, the ONLY PERSON innovating in this market is PortSwigger. Cigital innovates, but they have priced themselves out of the consumer and researcher markets.
Why don't you give Arachni a try. It's written in ruby and it seems to be very promising.
And theres also OWASP Zed Attack Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
To quote from the home page:
"The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually."
Its a fork of Paros and is free, open source and being actively maintained.
Psiinon (ZAP project lead)
The Web Application Security Consortium webpage listed below contains a number of different tools for different roles.
http://projects.webappsec.org/w/page/13246988/Web-Application-Security-Scanner-List
Some of the tools that I use on a regular basis are:
AppScan and WebInspect: automated analysis tools, powerful for automating certain types of checks but lack deep inspection capabilities. Used in manual mode contain some interesting features, but in my experience the user interface gets in the way of the functionality.
Zed Attack Proxy: an intercepting proxy which is fork and update of the badly out of date Paros Proxy. Fairly powerful for manual testing, and contains some automated testing features.
Skipfish: an interesting, high-speed web application scanner; it lacks the depth of feature set of commercial application scanners, but never claims to have them. It doesn't support advanced scanning features such as application authentication, but has a powerful fuzzing capability for certain types of defects.
Nessus really bad for web application fuzzing. The open source world can offer Wapiti, Skipfish and w3af(kind of broken). Acunetix is a good commercial product at a reasonable price. NTOSpider is one of the web application fuzzing tools, but it costs $10,000+ and your first born. Sitewatch has a free service thats worth checking out.
There's also OWASP WebScarab and Paros.
However, this page contains a list that should have what you want.
The OWASP organization is a not-for-profit worldwide charitable organization focused on improving the security of application software and has some nice tools to help detect vulnerabilities and protect applications.
Since no one has mentioned it, insecure.orgs's sectools.org list is a great starting point for application resources in general, especially for who are relatively new to being actively involved in network-related IT security. If you haven't checked it out, I would absolutely recommend looking over their Top 100 list to familiarize yourself with some of the tools (especially attack tools) that are out there. Bearing in mind the caveats already mentioned (and others assumed), here's the page for their Top 10 Web Vulnerability Scanners .
Packet Storm has an extensive archive of scanners:
You probably want to look into Burp Suite as well. They have a free and paid version but the paid version is relatively inexpensive.
My favorite tool for PCI DSS audits/assessments in terms of web application is Fiddler (or FiddlerCap). You can give either of these tools to a newbie or grandma and they will be able to figure it out with little instruction.
You have them send you a SAZ file (or FiddlerCap file), which involves them using the save dialog after using Internet Explorer to walk their webapp.
Then you can see the HTTP/TLS traffic and make determinations about how the application works, and how it processes payment card information. The Fiddler plugin, Casaba Watcher can process sessions offline after you give it some site information (add in the top-level domain and subdomains). Watcher will perform some OWASP ASVS activities, which you can map back to ASVS and review. This is all possible without access to the application (e.g. it could be in a QA or dev environment). You typically want to get this information as soon as a developer has a wifreframe build available -- way before the application goes into staging or production.
If you do have access to the webapp, then Fiddler can also be of further use. I suggest selecting any part that has user input and running the Casaba x5s plugin against it. The configuration of x5s is rather complicated, but the authors and others online would certainly be willing to help you configure it and understand the results. Fiddler has the capability to replay requests, so it is best to use this functionality (i.e. replay one request at a time) instead of browsing the site live with Fiddler and x5s configured to run. Analyzing the results is not as complicated as the configuration, as it doesn't absolutely require that you know anything about HTML or JavaScript.
The results from these 3 tools are not conclusive. However, they are MORE conclusive than running a web application scanner or security tool -- commercial, $500K/year, or not. I do not recommend NTOSpider, Acunetix, Netsparker, Hailstorm, WebInspect, AppScan, Wapiti, Skipfish, w3af, Burp Suite Free/Professional, or any other "scanner/tool" for PCI DSS audit or assessment work.
What you need after the basics is to hire and work with an application security consulting company that specializes in these kinds of assessments. It is extremely likely that they have their own tools, developed in house, that they are not willing to share or sell.
They will want access to a copy of the buildable source code of the web application(s). It is best to provide a vmdk/OVF/VHD file to them that includes a developer copy of your IDE and/or build server with a working build, including all dependencies and SDKs. They can then provide the necessary configuration and other recommendations for when the app goes into staging or production.
Whilst quite old(outdated?) Wapiti is another free choice: http://wapiti.sourceforge.net/
you have to combine multiple tools together to get a good results and also you have to molest the website on your on (manual tests) and the manual method is better because non of the commercial tools understand the business logic so i suggest the following tools :
for automated tools i think acuentix , netsparker ,burp suite ,google's websecurify are good to go with and you can test your web app with more of them .
for the manual method you have to study OWASP top 10 to know about common web application vulnerabilities and after that you should start to test the website .
the following tools will help you a lot in doing manual tests : Paros Proxy to edit HTTP Request/Response. fiddler allows you to inspect traffic,set breakpoints, and "fiddle" with incoming or outgoing data.
Firefox extensions (Tamper Data , web developer) : to edit HTTP Request/Response to see how you server react. Google this tools and you will see a lot of tutorials out there on how to use them