Friday, July 19, 2013

Web Application Penetration Testing Tools

Posted by Tab Pierce on Wed, May 29, 2013 @ 04:19 PM


As an information security consulting firm, we’re often asked what kinds of web application penetration testing tools are available. For clarification, we’re not talking about ‘tools’ as in people. We understand the confusion, because there is a fair amount of web application testing ‘tools’ out there. But these are some of the web application penetration testing tools we like, along with the in-house ones we use (which are not listed here).

Burp

From the people at Portswigger, we bring you’re the free version of the Burp Suite, which is an integrated platform for testing web applications. We’re big fans of Burp, which we use for everything from mapping to analysis of application surface attacks so we can better discover exploitable vulnerabilities. Key features of Burp include (as noted from Portswigger’s website):
  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application
  • An application-aware Spider, for crawling content and functionality
  • A Repeater tool, for manipulating and resending individual requests
  • A Sequencer tool, for testing the randomness of session tokens
Even the full version is affordable at $299.00 annually.

Arachni

Arachni is another one of our favorites. It’s an open source web application testing tool that is not only built on Ruby framework, but is rich in features as well. It is also extremely versatile, with uses ranging from a simple command line scanner to a global high performance grid of scanner, as well as a Ruby library that allows for scripted audits. Arachni also has a web user interface that allows multiple users to perform and manage multiple scans, which supports collaborative efforts between users to share scans and any issues they might have logged. This makes it a simple method for distributing a workload of many scans across a pool of dispatchers. One other very handy feature of Arachni is that it trains itself by learning from the HTTP responses it receives during the audit process and is capable of performing meta-analysis using a number of factors to correctly assess the trustworthiness of results and intelligently identify false-positives.

OWASP Zed Attack Proxy Project

The Zed Attack Proxy (ZAP) is an easy-to-use program that can be used effectively by anyone with little or lots of prior security knowledge, including those who are new to penetration testing tools. But don’t assume that ZAP is merely a low-level product. It is robust enough to be utilized by even the most experienced testers. One of ZAP’s primary uses is for automated scanning and comes with tools that assist in manual vulnerability searches. It’s designed to be a simple, integrated penetration testing tool for finding web application penetration vulnerabilities.