63

What tools are available to assess the security of a web application?

Please provide a small description of what the tool does.

Update: More specifically, I'm looking for tools that assume no access to the source code (black box).

AviD
  • 72,708
  • 22
  • 137
  • 218
Olivier Lalonde
  • 5,079
  • 8
  • 32
  • 35
  • 2
    Should this be a CW? – makerofthings7 Nov 22 '10 at 16:24
  • Heh, yeah, that works. – eficker Mar 29 '11 at 06:17
  • Specifically, according to PCI you would need to check for the current OWASP Top 10. – AviD Mar 29 '11 at 06:39
  • 1
    You've described the most basic, unobtrusive scan, Nessus has to offer. If you're willing to enable a bunch of options, and provide credentials, it will actually attempt to perform SQL injections and the like, not just look for indications that they might exist. – Scott Pack Mar 29 '11 at 11:34
  • Comparision of web application scanners : http://blog.portswigger.net/2010/06/comparing-web-application-scanners-part.html and http://blog.portswigger.net/2010/06/comparing-web-application-scanners.html – claws May 17 '11 at 15:07
  • 2
    Make sure to tell your hosting company that you are going to be scanning it. I got banned from one of mine which meant I couldn't even get to their site to submit a trouble ticket saying I was blocked. I had to get on from a different location to submit the ticket and explain what had happened, and wait a while for it to all get sorted out. – corymathews Jul 26 '11 at 16:02
  • RE:"Update:" You should really consider that access is somehow gained to the server, which would allow for decompilation. – atdre Mar 15 '12 at 04:57

16 Answers16

29

there's a large number of apps that can be used in web application assessments. One thing to consider is what kind of tool you're looking for. Some of them are better used alongside a manual test, where others are more designed for non-security specialist IT staff as more "black box" scanning tools.

On top of that there's a huge range of scripts and point tools that can be used to assess specific areas of web application security.

Some of my favorites

Burp suite - http://www.portswigger.net . Free and commercial tool. Excellent adjunct to manual testing and has a good scanner capability as well. Of professional web application testers I know, most use this.

W3af - http://w3af.org/ - Open source scanning tool, seems to be developing quite a bit at the moment, primarily focuses on the automated scanning side of things, is still requires quite a bit of knowledge to use effectively.

On the pure scanning side there's a number of commercial tools available.

Netsparker - http://www.mavitunasecurity.com/netsparker/

IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/

HP WebInspect - https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

Cenzic Hailstorm - http://www.cenzic.com/products/cenzic-hailstormPro/

Acunetix WVS - http://www.acunetix.com/vulnerability-scanner/

NTObjectives NTOSpider - http://www.ntobjectives.com/ntospider

AviD
  • 72,708
  • 22
  • 137
  • 218
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 4
    w3af is mostly a post-exploitation tool, or to be used as part of a larger toolchain. AppScan, WebInspect, Hailstorm, Acunetix, and NTOSpider have been shown in the literature (i.e. "Why Johnny Can't Pen-Test" [PDF] -- http://www.cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf) to be expensive and largely useless. I suggest avoiding them in preference for better tools such as Burp Suite Professional. – atdre Nov 14 '10 at 12:47
  • I'm not sure I'd agree that the commercial scanners are largely useless. I'd say that it depends on who the user is and what your goals are. Burp is definitely my tool of choice as a tester, but for non-specialists doing scanning, or for scenarios like large volume scanning of internal applications, I'd say that these tools have a place. Whether they're completely worth the money is another question. What specifically makes you say that w3af is mainly post-exploitation? from what I've seen of it, it has a number of scanner and discovery like modules (xss, xsrf, sqli etc)? – Rory McCune Nov 14 '10 at 16:54
  • 1
    and @atdre, don't necessarily expect to agree - this is a long-running argument in the field, and usually the proponents discuss this from different PoVs and in different contexts. While in general I agree that the autotools are overly expensive and of little value for a secure system, as compared to the value of a manual review, in the more insecure systems they are great for picking up the 100's of low hanging fruit. It's a question of depth vs. breadth (and speed). Also see http://security.stackexchange.com/questions/215/automated-tools-vs-manual-reviews/317. – AviD Nov 14 '10 at 19:52
  • WebInspect/etc are good for server platform vulnerabilities that are application-oriented and which OpenVAS/Nessus/Qualys/Rapid7/MSF-auxiliary-modules don't typically check for – atdre Nov 17 '10 at 22:29
  • 1
    Comparision of web application scanners : http://blog.portswigger.net/2010/06/comparing-web-application-scanners-part.html and http://blog.portswigger.net/2010/06/comparing-web-application-scanners.html – claws May 17 '11 at 15:07
15

My preferred tool bag to do a black box web app pen. test is currently:

  • BURP Suite "is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application"
  • Fiddler another proxy tool "fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data"
  • Fiddler x5s addon - x5s aims to assist penetration testers in finding cross-site scripting vulnerabilities.
  • Fiddler watcher addon - Watcher is a runtime passive-analysis tool for Web applications.

The above tools require some familiarity to wield at full power and are best used in a semi-automated way (e.g. choose a specific web form you want to test, setup "attack" runs, then review the results and pinpoint vulnerabilities or points to test more)

Fully automated scanners to catch low hanging fruit and to get breadth in test coverage:

Maybe AppScan or WebInpsect if I have access to a license (these tools are expensive)

Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
  • 1
    I use this exact same toolchain. I wish that Context App Tool (CAT) was a bit more stable, otherwise I'd include it! – atdre Nov 14 '10 at 12:41
  • 1
    I have recently added WhatWeb and inspathx to my list of tools. – atdre Feb 19 '11 at 21:18
10

It's difficult to keep this list up-to-date. In my opinion -- this is a BAD QUESTION.

The correct question should be "What techniques are available to asses the security of a web application, how are they commonly implemented, and how do you keep up on the latest improvements to both the techniques and their implementations?"

For example, better tools are already available since these answers were put forward: Hatkit, WATOBO, Arachni's web interface, et al.

The primary problem with commercial tools is their lack of ability to innovate and improve. At this point -- almost all commercial products in the web application security space have been stunted by patent wars and loss of individual and social capital. When was the last time you saw a COMMUNITY around an app scanner, app firewall, or security-focused static analysis PRODUCT/SERVICE? The correct answer, yes, is "NEVER". The battle is for free (and/or open-source) tools to try to innovate past the 2004 barrier put forward by these idiotic and non-forward-looking no-talent-clowns that staffed the app scanner, app firewall, and security-focused static analysis companies that are mostly now defunct.

Literally, as seen in the 1.4beta of Burp Suite Professional, the ONLY PERSON innovating in this market is PortSwigger. Cigital innovates, but they have priced themselves out of the consumer and researcher markets.

atdre
  • 18,945
  • 6
  • 59
  • 108
8

I enjoyed SkipFish

gbr
  • 2,020
  • 1
  • 17
  • 22
  • +1 was checking this out quite recently seemed very good. – Mark Davidson Nov 11 '10 at 23:27
  • You should be careful with SkipFish - it generates huge logs. –  Nov 11 '10 at 23:38
  • 1
    Skipfish's crawler demonstrates a 41% coverage rate using http://wivet.googlecode.com. Other tools are much stronger, especially Burp, Fiddler, and even the Skipfish author's own Ratproxy because manually walking an app provides better results, although perhaps not for forced browsing, content discovery, or directory traversal checks. – atdre Nov 14 '10 at 12:44
6

Why don't you give Arachni a try. It's written in ruby and it seems to be very promising.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Paolo Perego
  • 175
  • 3
6

And theres also OWASP Zed Attack Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

To quote from the home page:

"The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually."

Its a fork of Paros and is free, open source and being actively maintained.

Psiinon (ZAP project lead)

Psiinon
  • 61
  • 1
  • 1
  • Welcome @Psiinon - looks like I will have to look into Zed. When I first heard of it I wondered if it was just another Burp clone. – Rory Alsop Jul 26 '11 at 13:01
  • @Rory - it's a descendant of Paros proxy - so it kind of is... – AviD Jul 26 '11 at 20:01
4

The Web Application Security Consortium webpage listed below contains a number of different tools for different roles.

http://projects.webappsec.org/w/page/13246988/Web-Application-Security-Scanner-List

Some of the tools that I use on a regular basis are:

AppScan and WebInspect: automated analysis tools, powerful for automating certain types of checks but lack deep inspection capabilities. Used in manual mode contain some interesting features, but in my experience the user interface gets in the way of the functionality.

Zed Attack Proxy: an intercepting proxy which is fork and update of the badly out of date Paros Proxy. Fairly powerful for manual testing, and contains some automated testing features.

Skipfish: an interesting, high-speed web application scanner; it lacks the depth of feature set of commercial application scanners, but never claims to have them. It doesn't support advanced scanning features such as application authentication, but has a powerful fuzzing capability for certain types of defects.

ygjb
  • 197
  • 3
  • Does the Web Application Security Consortium have a bias because all of their board members are current or former employees of web application security scanner or other application security product companies? – atdre Nov 14 '10 at 12:49
  • Probably, but bias exists in any organization. OWASP had already been listed in other comments so there was no need to repeat it. – ygjb Nov 19 '10 at 17:27
  • @atdre - no, there are many board members who are not associated with scanner or security product companies :-) – Rory Alsop Dec 30 '10 at 02:23
4

Nessus really bad for web application fuzzing. The open source world can offer Wapiti, Skipfish and w3af(kind of broken). Acunetix is a good commercial product at a reasonable price. NTOSpider is one of the web application fuzzing tools, but it costs $10,000+ and your first born. Sitewatch has a free service thats worth checking out.

rook
  • 47,004
  • 10
  • 94
  • 182
  • 1
    I beg to differ - while NTOSpider is indeed a solid tool, it is far from "undisputed". I know of quite a few vendors that would "dispute" that claim, correctly or not. – AviD Mar 29 '11 at 23:01
  • @AviD♦ Yep and the vendors that dispute it haven't used NTOSpider. I have used a lot of web app fuzzing tools and NTOSpider isn't worth the price. – rook Mar 30 '11 at 16:38
  • you're saying NTOSpider is *not* worth the price? I've used it only briefly, but it didnt knock my socks off... regardless, the point I was taking was with use of "undisputed". – AviD Mar 30 '11 at 22:36
  • @AviD Your right, sitewatch is free and it find vulnerabilities that NTO has missed. I changed my post. – rook Mar 31 '11 at 00:37
4

There's also OWASP WebScarab and Paros.

However, this page contains a list that should have what you want.

Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73
Jeff
  • 497
  • 4
  • 9
  • 1
    I'm glad you like the Phoenix/Tools list! It's a bit outdated since when I started the project 4 years ago, but it's hard to find good lists. I think Matt Tesaro has a few similar ones – atdre Nov 17 '10 at 22:30
4

The OWASP organization is a not-for-profit worldwide charitable organization focused on improving the security of application software and has some nice tools to help detect vulnerabilities and protect applications.

Eric Warriner
  • 3,291
  • 3
  • 26
  • 20
2

Since no one has mentioned it, insecure.orgs's sectools.org list is a great starting point for application resources in general, especially for who are relatively new to being actively involved in network-related IT security. If you haven't checked it out, I would absolutely recommend looking over their Top 100 list to familiarize yourself with some of the tools (especially attack tools) that are out there. Bearing in mind the caveats already mentioned (and others assumed), here's the page for their Top 10 Web Vulnerability Scanners .

jgbelacqua
  • 281
  • 2
  • 5
2

Packet Storm has an extensive archive of scanners:

http://packetstormsecurity.org/files/tags/scanner/

2

You probably want to look into Burp Suite as well. They have a free and paid version but the paid version is relatively inexpensive.

wickett
  • 59
  • 2
2

My favorite tool for PCI DSS audits/assessments in terms of web application is Fiddler (or FiddlerCap). You can give either of these tools to a newbie or grandma and they will be able to figure it out with little instruction.

You have them send you a SAZ file (or FiddlerCap file), which involves them using the save dialog after using Internet Explorer to walk their webapp.

Then you can see the HTTP/TLS traffic and make determinations about how the application works, and how it processes payment card information. The Fiddler plugin, Casaba Watcher can process sessions offline after you give it some site information (add in the top-level domain and subdomains). Watcher will perform some OWASP ASVS activities, which you can map back to ASVS and review. This is all possible without access to the application (e.g. it could be in a QA or dev environment). You typically want to get this information as soon as a developer has a wifreframe build available -- way before the application goes into staging or production.

If you do have access to the webapp, then Fiddler can also be of further use. I suggest selecting any part that has user input and running the Casaba x5s plugin against it. The configuration of x5s is rather complicated, but the authors and others online would certainly be willing to help you configure it and understand the results. Fiddler has the capability to replay requests, so it is best to use this functionality (i.e. replay one request at a time) instead of browsing the site live with Fiddler and x5s configured to run. Analyzing the results is not as complicated as the configuration, as it doesn't absolutely require that you know anything about HTML or JavaScript.

The results from these 3 tools are not conclusive. However, they are MORE conclusive than running a web application scanner or security tool -- commercial, $500K/year, or not. I do not recommend NTOSpider, Acunetix, Netsparker, Hailstorm, WebInspect, AppScan, Wapiti, Skipfish, w3af, Burp Suite Free/Professional, or any other "scanner/tool" for PCI DSS audit or assessment work.

What you need after the basics is to hire and work with an application security consulting company that specializes in these kinds of assessments. It is extremely likely that they have their own tools, developed in house, that they are not willing to share or sell.

They will want access to a copy of the buildable source code of the web application(s). It is best to provide a vmdk/OVF/VHD file to them that includes a developer copy of your IDE and/or build server with a working build, including all dependencies and SDKs. They can then provide the necessary configuration and other recommendations for when the app goes into staging or production.

atdre
  • 18,945
  • 6
  • 59
  • 108
  • 1
    +1 for 'hire an app sec consulting company' - all tools are just that, tools, which can help, but are definitely not a replacement for, an experienced professional! – Rory Alsop Mar 31 '11 at 08:24
1

Whilst quite old(outdated?) Wapiti is another free choice: http://wapiti.sourceforge.net/

Ben Scobie
  • 11
  • 3
1

you have to combine multiple tools together to get a good results and also you have to molest the website on your on (manual tests) and the manual method is better because non of the commercial tools understand the business logic so i suggest the following tools :

for automated tools i think acuentix , netsparker ,burp suite ,google's websecurify are good to go with and you can test your web app with more of them .

for the manual method you have to study OWASP top 10 to know about common web application vulnerabilities and after that you should start to test the website .

the following tools will help you a lot in doing manual tests : Paros Proxy to edit HTTP Request/Response. fiddler allows you to inspect traffic,set breakpoints, and "fiddle" with incoming or outgoing data.

Firefox extensions (Tamper Data , web developer) : to edit HTTP Request/Response to see how you server react. Google this tools and you will see a lot of tutorials out there on how to use them

P3nT3ster
  • 867
  • 7
  • 10