2

I am working on a Web platform that must-need-should have a good level of security.

Therefore, I am interested in a good quality tool to test my Web platform QA on security.

My main programming skill is Java.

Is there a really good and open source tool for the website scanning e.g. OWASP, auto cookie check's and similar things. Ideally written in Java(need to be able to customise it)

Looking forward to hear your suggestions,

BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63

5 Answers5

5

You can do some automated scans with OWASP ZAP or Burp (Burp isn't free).

Adi
  • 43,808
  • 16
  • 135
  • 167
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
3

If you decide to use ZAP (and obviously I hope you do;) then please consider feeding any customizations you need to make back into ZAP. ZAP is a community project - we try to encourage as many people as possible to get involved. And if you submit some good quality code then we'll give you commit access :)

We also have a very active developer group, so if you have any questions about the ZAP internals then ask them here: http://groups.google.com/group/zaproxy-develop

Cheers,

Simon (ZAP Project Lead)

Simon Bennetts
  • 1,390
  • 7
  • 10
1

To name a few, w3af(good one), skipfish, Arachni(excellent report), OWASP ZAP, VEGA ,Wapiti

These are the few that I have worked with. They are not written in Java though. w3af and Wapiti is written in python, Arachni in ruby, Skipfish is written in C. I am not sure about VEGA and I believe that OWASP ZAP is written in Java

Adi
  • 43,808
  • 16
  • 135
  • 167
aRun
  • 551
  • 3
  • 10
0

Are you developing the Web platform yourself? If yes, take a look at the most current OWASP Top Ten 2013, especially the prevention mechanisms.

The tools mentioned by aRun and Lucas are great, but if you haven't worked with them before, you will probably only find very obvious security issues. If the platform really requires a "good level of security" (whatever that exactly means) you should probably get somebody else with knowledge of Web Application Security Testing to check your site.

twobeers
  • 1,079
  • 5
  • 10
0

A great resource in this area is The Web Application Security Consortium. They have slightly dated list of web application security scanners broken out by license type.

The two that would be most relevant to you based on the Java/Open Source requirement are OWASP ZAP and andiparos. Development on andiparos appears to have stopped in 2010 to focus on ZAP. So ZAP is probably your best bet.

sdanelson
  • 1,267
  • 10
  • 21