Posted by Tab Pierce on Wed, May 29, 2013 @ 04:19 PM
As an information security consulting firm, we’re often asked what kinds of web application penetration testing tools
are available. For clarification, we’re not talking about ‘tools’ as in
people. We understand the confusion, because there is a fair amount of
web application testing ‘tools’ out there. But these are some of the web
application penetration testing tools we like, along with the in-house
ones we use (which are not listed here).
Burp
From the people at Portswigger, we bring you’re the free version of
the Burp Suite, which is an integrated platform for testing web
applications. We’re big fans of Burp, which we use for everything from
mapping to analysis of application surface attacks so we can better
discover exploitable vulnerabilities. Key features of Burp include (as
noted from Portswigger’s website):
- An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application
- An application-aware Spider, for crawling content and functionality
- A Repeater tool, for manipulating and resending individual requests
- A Sequencer tool, for testing the randomness of session tokens
Even the full version is affordable at $299.00 annually.
Arachni
Arachni
is another one of our favorites. It’s an open source web application
testing tool that is not only built on Ruby framework, but is rich in
features as well. It is also extremely versatile, with uses ranging from
a simple command line scanner to a global high performance grid of
scanner, as well as a Ruby library that allows for scripted audits.
Arachni also has a web user interface
that allows multiple users to perform and manage multiple scans, which
supports collaborative efforts between users to share scans and any
issues they might have logged. This makes it a simple method for
distributing a workload of many scans across a pool of dispatchers. One
other very handy feature of Arachni is that it trains itself by learning
from the HTTP responses it receives during the audit process and is
capable of performing meta-analysis using a number of factors to
correctly assess the trustworthiness of results and intelligently
identify false-positives.
OWASP Zed Attack Proxy Project
The Zed Attack Proxy (ZAP)
is an easy-to-use program that can be used effectively by anyone with
little or lots of prior security knowledge, including those who are new
to penetration testing tools. But don’t assume that ZAP is merely a
low-level product. It is robust enough to be utilized by even the most
experienced testers. One of ZAP’s primary uses is for automated scanning
and comes with tools that assist in manual vulnerability searches. It’s
designed to be a simple, integrated penetration testing tool for finding web application penetration vulnerabilities.