This section is going to be a live article about the current web app security testing tools:
Web scanners:
WebInspect : A Powerful Web Application Scanner SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.[1]
Acunetix Web Vulnerability Scanner : Commercial Web Vulnerability Scanner Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. Acunetix WVS boasts a comfortable GUI and an ability to create professional website security audit reports.[1]
Nikto : A more comprehensive web scanner Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.[1]
Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.[1]
Wikto : Web Server Assessment Tool Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.[1]
N-Stealth : Web server scanner N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.[1]
The ScanDo Web: ScanDo web application scanner allows the enterprise to conduct ongoing risk assessments to identify the vulnerability of Web applications to hostile attack. It identifies security weaknesses in the Web applications environment and helps eliminate them before they are exploited by hackers and thieves. It scans Web application technologies, including Flash, JavaScript, ASP, XML and Web Services. ScanDo offers control of both automated and manual scanning as well as the ability to replay discovered vulnerabilities to conduct in-depth analysis.
It supports a database for all scanning results with Web reporting for centralized management, and it provides privacy through detection of Social Security and credit card numbers. ScanDo offers a three-stage process for application risk assessment. First, it explores the entire Web application environment and registers its structure and contents. Then it mimics actual hacking methods to identify and uncover the details of any point that is susceptible to attack. In the third stage, ScanDo outputs all scan results into reports that show how to eliminate vulnerabilities.[2]
VForce is a web application security scanner, that simulates attacks for the purpose of testing and analysing a web application for security weaknesses. Like other tools it scans for buffer overruns, manipulation of HTTP requests, brute force vulnerabilities, etc.[2]
APACHE_USERS: Apache username enumerator, via /~username requests. This script uses a list of common system names like root, admin etc … You should manually check the issue to establish the http return code, ie: 403 as this is needed for the command line. No native SSL support.[7]
Manual security testing:
Paros proxy : A web application vulnerability assessment proxy A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.[1]
WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.[1]
Burpsuite : An integrated platform for attacking web applications Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.[1]
SPIKE Proxy : HTTP Hacking Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.[1]
CAL9000: CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.[11]
httpedit:httpedit is a ‘low-level’ interface to HTTP. The application allows you to write a raw HTTP request, send it against a web server and review the response, all from within the same app.[11]
Decompilers:
Jad is a Java decompiler, i.e. program that reads one or more Java class files and converts them into Java source files which can be compiled again.[3]
Jad can be used:
- for recovering lost source codes;
- for exploring the sources of Java runtime libraries;
- as a Java disassembler;
- as a Java source code cleaner and beautifier. <!–[if !vml]–>
<!–[endif]–>
Web session analyzers:
Stompy is an advanced utility to test the quality of WWW session identifiers and other tokens that are meant to be unpredictable. It is fully automated, employs a remarkably advanced collection of tests, and probably scratches an important pen-testing itch.[4]
Web fuzzers:
PROTOS HTTP-reply – Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for browser vulns.[5]
Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.[5]
Mangle – A fuzzer for generating odd HTML tags, it will also autolaunch a browser. Mangle found the infamous IFRAME IE bug.[5]
FUZZLED: Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them .This most recent release includes : * Support for a raft of additional protocols, including HTTPInject, NNTP, SMTP and IMAP. * New and improved namespaces. * Improvements to the pattern factory. * Documentation on writing a fuzzer in Fuzzled. * Numerous bugfixes and other minor improvements.[7]
Ajax Security:
Spajax is a security scanning tools from OWASP.[6]
XSS exploiting:
XSSshell: XSS Tunnel is a proxy which allows you to traffic any HTTP traffic through a Cross-site Scripting (XSS) Channel opened by XSS Shell. This release includes a new version of XSS Shell, XSS Tunnel and source codes. Please refer to the white paper for details.[7]
XSSSHELL: XSS Shell is a powerful XSS backdoor. XSS Shell allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application. Demonstrates the real power and damage of Cross-site Scripting attacks.[7]
SSL enumeration
ManySSL:Primarily a tool for Linux users to enumerate the SSL ciphers in use on any SSL encrypted service, including mail servers that utilise starttls. This tool has an option to identify only the weak ciphers (Ciphers under 128 bit) so administrators can know which ciphers to remove from their service.[7]
SSLDigger v1.02 Released 8/26/2004. Copyright 2004 (c) by Foundstone, Inc.SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure.[8]
Web Service scanner and testing
WSDigger v1.0 Released 7/12/2005. Copyright 2005 (c) by Foundstone, Inc. WSDigger is a free open source tool designed by Foundstone to automate black-box web services security testing (also known as penetration testing). WSDigger is more than a tool, it is a web services testing framework. Version one of this framework contains sample attack plug-ins for SQL injection, cross site scripting and XPATH injection attacks. A web service vulnerable to XPATH injection is provided as an example with the tool. By releasing the framework as an open-source tool, users are encouraged to develop and share their own plug-ins.System requirements Windows: .NET Framework
soapUI1.6
I reviewed Version 1.6 of soapUI, a Java-based tool from Eviware. This version executes within its own stand-alone UI; the new 1.7 release includes plug-ins for the NetBeans, IntelliJ, and Eclipse IDEs.
The user interface conforms to the architecture of the typical IDE: a navigation pane on the left, a content pane on the right, and additional properties panes tucked near the bottom. If you’ve used an IDE like Visual Studio lately, you’ll find your way around soapUI instantly.
soapUI arranges work into projects. Each project is primarily identified by the interfaces that the project is built to test. Here, an interface is the “other end” of a URI (uniform resource identifier) pointing to a site that is exposing Web service methods. You can quickly generate a skeletal project by aiming an empty project at a Web service’s WSDL code; soapUI will accept WSDL from either a file or a Web service end point that transmits the WSDL for its services.
Projects are arranged hierarchically and contain one or more TestSuites, which contain one or more TestCases, which in turn contain one or more test steps. The actual work – sending requests, receiving responses, analyzing results, and altering test execution flow – happens at the test step level. TestCases gather and organize the steps need to perform a specific operation on the target. TestSuites gather TestCases into larger aggregates that exercise a particular area of a Web service (such as the operations necessary to order a book). You can create new TestSuites, TestCases, and test steps by right-clicking on the parent node in the project’s tree and selecting New from the pop-up context menu.
TestMaker
TestMaker is a Web service testing application from PushToTest. It requires Java 1.4 (or later) to execute. Although I tested the other tools on Windows, I installed TestMaker 4.4 on Ubuntu Linux 6.10 to see what Web service testing on Linux was like. Installation was simple, and once I had specified a JAVA_HOME environment variable, TestMaker launched and ran with no problems.
TestMaker’s tests are embodied in scripts called “test agents.” The product lives up to its name by providing an Agent Wizard that will read a WSDL definition and automatically create a skeletal test agent.
I should point out that TestMaker is not limited to testing Web services; it can also be used to test Web applications. Bundled with TestMaker is a network monitoring tool that can watch HTTP traffic between your browser and a target Web application, and generate test cases from the interaction. However, I did not experiment with this capability, since it has limited value in association with Web services, which are usually driven by a client application.
WebInject
WebInject is a super-lightweight testing tool that can automate the testing of both Web services and Web applications. In fact, WebInject’s ability to test XML/SOAP Web services appears to be a recent addition to the tool, as earlier versions could not readily handle the SOAP protocol.
Http probers
hoppy:Hoppy (*[H]ttp [O]ptions [P]rober In [PY]thon*) is a http server method prober written in python, does exactly what it says on the tin. It tests http methods for configuration issues leaking information or just to see if they are enabled. Latest Version is 1.5.1[7]
httprint:httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask.
THCSSLProxy: Small commandline SSL proxy for windows useful for pentesting SSL services like HTTPS, SMTPS, LDAPS, POP3S etc.[12]
Web spiders:
SiteDigger v2.0 Released 1/06/2005. Copyright 2005 (c) by Foundstone, Inc. SiteDigger 2.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.[10]
What’s New in SiteDigger 2.0
* 10 times more results! Now you can use FSDB / GHDB and generate 10 results per signature.
* Improved user interface, help file, signature update and results page.
* Decreased false positives.
* Latest signatures (open webcams, credit card numbers, etc).
* Ability to raw search.
Aura:A while back Google encouraged developers to make use of their API. Many people built applications around the API, but alas Google has stopped issuing API keys. This means that those applications (like wikto / etc) lost large portions of their functionality. SensePost AURA (Api Usable / Re-usable Again) will help to get those tools working again. Aura is a very simple web app that runs as an executable on your windows machine and listens on 127.0.0.1:80. [11]
HTTrack:HTTrack is a free and easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
Reference [1]:http://sectools.org/web-scanners.html
Reference [2]:http://www.windowsecurity.com/software/Web-Application-Security/
Reference [3]:http://www.kpdus.com/jad.html#general
Reference [4]:http://lcamtuf.coredump.cx/
Reference [5]:http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html
Reference [6]:http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/spajax/
Reference [7]: http://www.portcullis.co.uk/16.php
Reference [8]:http://www.foundstone.com/us/resources/proddesc/ssldigger.htm
Reference [9]:http://www.foundstone.com/us/resources/proddesc/wsdigger.htm
Reference [10]:http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
Reference [11]:http://www.hacktoolrepository.com/category.pl?cid=8&categoryname=Web%20applications
, current version offers this features: