5

I'm looking for a new tool for the ol' admin toolkit and would value some suggestions.

I would like to do some "automated" testing of handful of websites for XSS (cross site scripting) vulns, along with checking for SQL injection opportunities. I realize that an automated tool approach isn't necessarily the only or best solution, but I'm hoping it would give me a nice start.

The sites I need to scan cover the range in stacks from PHP / MySQL to Coldfusion, with some classic ASP and ASP.NET mixed in for good measure.

What tools would you use to scan for Web application vulns?

(Please note I'm focusing on the web apps directly, not the servers themselves).

chmeee
  • 7,270
  • 3
  • 29
  • 43
Chris_K
  • 3,434
  • 6
  • 41
  • 45

7 Answers7

7

I've had good results from wapiti - it scans your web forms and attempts injections and XSS attacks against them.

If you have the time, I'd suggest getting the backtrack distribution - it's a modified ubuntu liveCD that's been loaded up with nikto, wapiti, openVAS (a fork of nessus) and hundreds of other great security audit tools; I've used it in a few audits and had good results- it's definitely worth exploring the tools on it,.

See the nikto step by step guide here.

Techie
  • 191
  • 1
  • 5
Tim Howland
  • 4,678
  • 2
  • 26
  • 21
  • I think wapiti is where I'll start. Thank you for that and the backtrack tip. – Chris_K Jul 29 '09 at 04:16
  • I didn't think I should accept an answer on a community wiki question, however SF was urging me to so... grats! :-) – Chris_K Jul 30 '09 at 00:01
  • heh, too funny. Definitely give the backtrack liveCD a shot if you get a rainy afternoon, too- includes most of the tools below and a bunch of other ones. – Tim Howland Jul 30 '09 at 12:38
3

Check out Nikto

HTTP500
  • 4,827
  • 4
  • 22
  • 31
3

Start at,
The top 10 list from Insecure.org -- who give us the wonderful Nmap

Some other things that appear to be missed in that list,

user9517
  • 114,104
  • 20
  • 206
  • 289
nik
  • 7,040
  • 2
  • 24
  • 30
  • great list. I'm familiar with the "big list" at insecure.org, hadn't even noticed they had categorized versions. Very helpful! Webshag is intriguing too. Might give that a go after I suss out wapiti. – Chris_K Jul 29 '09 at 04:18
2

Paros Proxy is a proxy that can do spidering and automated scans.

This is a short manual to test it:

  • Lauch paros.jar
  • Configure your browser proxy for localhost:8080
  • Navigate through the pages you want to analyze
  • Complete the list with the option 'Analyze -> Spider...'
  • Do an automatic scan 'Analyze -> Scan All'
  • Generate a report 'Report -> Last Scan Report'

I also like w3af which is a more advanced tool for web app analysis, in a similar fashion of metasploit but for web apps.

chmeee
  • 7,270
  • 3
  • 29
  • 43
1

some tools I've used, and had pretty good luck with are:

  • Burp Proxy
  • HP WebInspect (costs money)
  • Google RatProxy (requires you to browse to the site, but it works OK and it's free)
  • Fortify (not a scanner but very good at finding stuff)
  • Vericode

I've also seen decent results from Cenzic Hailstrom.

atk
  • 217
  • 1
  • 3
0

I am using free online XSS scanner tool: link text

Community
  • 1
0

I'd use Selenium or something similar to write some functional tests that exercised the web app. Then set up ratproxy and rerun the tests. Ratproxy will find XSS, XSRF, and a bunch of other types of vulnerabilities.

You could also use ratproxy without the automated tests to do some manual tests. The automated tests just make it easier to rerun after you think you have fixed the problems.

Gene Gotimer
  • 2,442
  • 20
  • 16