Web Site Security Test Tools

Brakeman – Open source ruby static code analysis tool checks Ruby on Rails apps for security vulnerabilities. Plugin available for Jenkins/Hudson.

SecureAssist – Just-in-time secure coding guidance for developers through an IDE plug-in for Eclipse and Visual Studio. From Codiscope/Synopsys. Identifies security bugs as code is created, “pushes” expert guidance to the IDE and provides real-time feedback to developers, eliminating defects before they impact future development. Automatically detects risky code. Issues are itemized within the IDE and linked to the line of code where problems appear. For Java, PHP, and .NET.

Coverity – Static Analysis and Static Application Security Testing (SAST) platform from Synopsys; provides actionable remediation guidance. Provides full path coverage, ensuring that every line of code and every potential execution path are tested. View all outstanding security issues, OWASP Top 10 issues, CWE, and PCI related issues. Policy Manager enables defining/enforcing a consistent standard for code security and enables compliance visibility. Supports C/C++, Java, C#, JavaScript, Node.js, Objective-C, PHP, Python, ASP.NET, Ruby, and more. Supports over 100 compilers and many popular IDE’s.

AppSpider – Web application security scanner from Rapid7. Analyzes site exposure risk, ranks threat priorities, produces highly graphical HTML reports, and indicates site security posture by vulnerabilities and threat exposure. Analyzes site structure, content and configuration to identify inherent exposure to future or emerging threats, produces a security posture rating and qualitative analysis of findings, with a complete catalog of all site resources and their attributes (e.g. forms, cookies, scripts, SQL strings and ODBC connectors, authentication, applets/objects, hidden fields, etc).

Burp Suite – An integrated web app security testing platform from PortSwigger Ltd, written in Java. Its various tools work together to support the entire testing process, from initial mapping and analysis of an app’s attack surface, through to finding vulnerabilities. Can combine advanced manual techniques with state-of-the-art automation, to enable faster and more effective security testing. Key components include: An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application; an application-aware Spider, for crawling content and functionality; an advanced web application Scanner, for automating the detection of numerous types of vulnerability; an Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities; more. Extensible, allowing writing of custom plugins. Free and $Pro versions.

Vega – A GUI-based, multi-platform, free and open source web security scanner from Subgraph Inc. that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web apps. Also includes an intercepting proxy for interactive web application debugging. Written in Java, GUI based; runs on Linux, OSX, and Win. Vega attack modules are written in Javascript, users can easily modify them or write their own.

SiteDigger – Free tool fr5om McAffee searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites. Includes selectable signatures, selectable domain/sub-domain, ability to save signature selection and result set. Requires MS .NET Framework.

MileScan ParosPro – Web security auditing platform from Milescan Technologies. Capabilities include a network spider to collect information about a site’s hierarchy; vulnerability scanning based on plug-ins written to target common web vulnerabilities, including many popular Content Management Systems vulnerabilities; simulates hacker attacks; scan scheduling; more.

Aribisec Web Analyzer – Web based online tool scans for potentially malicious links, analyzes HTML code, and checks server information and various parameters, without exposing the user to malicious content and without revealing your own web session. Can provide a quick and detailed overview of the security state of a web project. Free and paid $ versions.

Golem – Online web site security scanning service; available as one-time scan or periodic scanning service. Reports include how to replicate the issue and remediation suggestions. From Golem Technologies.

Skipfish – Open source active web application security scanner from Michal Zalewski/Google. Prepares interactive sitemap by carrying out a recursive crawl and dictionary-based probes. The map is then annotated with the security check output. The final output report is meant to serve as a foundation for professional web application security assessments. Goals for the tool are stated as: Raw speed; Unique brute-force capabilities: includes utilization of highly customized, hand-picked dictionaries, and a unique auto-learning feature that builds an adaptive, target-specific dictionary based on site content analysis; High quality security checks with an emphasis on well-crafted probes, and on testing for behavioral patterns, rather than signatures; Coverage of more nuanced problems – looks for significant security issues often neglected by other tools – such as caching intent mismatches, mixed content issues, XSSI, third-party scripts, cross-site request forgery, etc; Adaptive scanning for real-world applications – handles complex, mixed technology sites such as recognizing obscure 404 behaviors, unusual parameter passing conventions, redirection patterns, content duplication, etc; Sleek reports with minimal noise.

Seeker – Web security testing app from Quotium Technologies. Runs automatic and adaptive processes to accurately and quickly detect vulnerabilities. Pinpoints and reveals the most at-risk areas of source code and suggests code corrections for immediate implementation. Supports complex web development environments such as AJAX, Adobe Flex & Air, RIA, .Net, J2EE, Webservices, secure exchanges (HTTPS), etc.

WebSecurify – Open source integrated web security testing environment from GNUCITIZEN Information Security Think Tank, for identifying web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. Designed to perform automated as well as manual vulnerability tests; Automatically detected vulnerabilities include: SQL Injection, local and remote file include, cross-site scripting, cross-site request forgery, information disclosure problems, session security problems, others including all categories in the OWASP TOP 10. Platform components can be extended with the help of add-ons and plugins. so task and business specific customizations can be introduced without cross-platform issues, deployment, internationalization and future support.

Samurai Web Testing Framework – Open source web pen testing framework from Inguardians Inc. includes a live linux environment that has been pre-configured to function as a web pen-testing environment. Includes a variety of open source and free tools web pen testing tools. Includes reconnaissance, mapping, discovery, and exploitation tools, and a pre-configured wiki set up to be the central information store during pen testing.

Tarantula – Open source tool from Relevance Inc. that crawls your Rails application, fuzzing data to see what breaks.

RATS – The Rough Auditing Tool for Security is an open source code security analysis tool developed by Secure Software, which was acquired by Fortify Software/HP. Scans C, C++, Perl, PHP and Python source code and flags common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. Provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, its potential severity, and potential remedies. Also performs some basic analysis to try to rule out conditions that are obviously not problems. As the name implies, it provides a rough analysis of source code, and will not find all errors, and will find things that are not errors; can be used as an aid to manual code inspection. Not updated since 2009.

beSTORM – Software security analysis fuzzing tool from Beyond Security; can be used for securing in-house software applications and devices, as well as testing the applications and devices of external vendors. Tries virtually every attack combination, intelligently starting with the most likely scenarios and detects application anomalies which indicate a successful attack. Also available is hosted service WSSA – Website and Web Server Security Auditing. Provides a complete report with the facts and recommendations needed to take corrective action. 15-day free trial.

Zed Attack Proxy (ZAP) – An easy to use free open-source integrated penetration testing tool for finding vulnerabilities in web applications; a fork of the well regarded Paros Proxy. Designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Includes Intercepting Proxy, Automated scanner, Passive scanner, Brute Force scanner, Spider, Port Scanner, comprehensive help pages, cross platform, requires java 1.6.

Powerfuzzer – Open source automated customizable Web fuzzer; based on many other Open Source fuzzers available and information gathered from numerous security resources and websites. Capable of spidering website and identifying inputs. Capable of identifying common web vulnerabilities (incl. XSS, SQL Injection). Supports https. Written in python. Project leader is Marcin Kozlowski. Commercial version Powerfuzzer Online available as an online service.

Wapiti – Open source vulnerability scanner for web applications. It checks vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, LDAP injections, CRLF injections. Uses Python; no SSL support.

nCircle Certified PCI Scan Service – External scan service from nCircle for all PCI Data Security Standard-relevant conditions. Upon completion of the scan, merchants have access to an auto-generated PCI Security Standards Council certified report. The scan report clearly indicates whether the merchant’s payment network is secure, in which case the merchant may download the report and submit it to the acquiring bank.

SecPoint Penetrator – Site/network security testing tool from SecPoint ApS, available as penetration testing appliance or as a web-based service. Site/network security testing tool from SecPoint ApS, available as penetration testing appliance or as a web-based service. Provides full vulnerability scanning, pen testing. Find vulnerabilities in Firewalls, Websites, Joomla, WordPress, Drupal, Joomla, Magento, Shopify, Umbraco, Mail servers, Database servers and more. Powerful Cloud Security Scanner find vulnerabilities on websites: Scans for SQL Injection, XSS Cross Site Scripting XSS, SQLi, LFI, RFI and CSRF. Reports in PDF, XML, HTML formats with recommended solutions.

Netsparker – Web application security scanner from Mavituna Security with integrated exploitation features to allow users to exploit the identified vulnerabilities and see the real impact of the problem. Via desktop or online service. Capabilities include: false-positive-free; handling of websites that rely on AJAX and Javascript; confirms vulnerabilities by exploiting them in a safe non-destructive manner; specific impact and remediation information is tailored based on details of issue. For Windows.

Kyplex Cloud Security Scanner – Cloud-based web site security scanning service – no installation or network modifications required. Capabilities include cross site scripting attacks (XSS), detects hidden directories and backup files, looks for known security vulnerabilities, searches for SQL Injection vulnerabilities, more. Finds complex security breaches and web server configuration errors, as well as zero-day vulnerabilities. From Kyplex Ltd.

HP Fortify – Security product suite from HP (formerly Fortify Software) includes vulnerability detection. Integrates static source code analysis, dynamic runtime analysis, and real-time monitoring to identify and accurately prioritize the greatest number of critical security vulnerabilities. Capabilities include the Program Trace Analyzer (PTA) that finds vulnerabilities that become apparent only while an application is running – integrate into a QA test to find vulnerabilities while a functional test is being conducted on an application.

OWASP Security Testing Tools – Variety of free and open source web security testing tools via the OWASP (Open Web Application Security Project) site. SQLiX is an SQL injection vulnerability test tool that uses multiple techniques – conditional errors injection; blind injection based on integers, strings or statements, MS-SQL verbose error messages (« taggy » method); can identify database version and gather info for MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL. Other security testing tools available include WSFuzzer, WebScarab, Tiger, LAPSE, Pantera, etc.

Retina Web Security Scanner – Dynamic application security testing (DAST) solution from BeyondTrust Inc. for site crawling, detecting & remediating vulnerabilities for web and mobile apps. Includes client-side JavaScript testing & pre-attack analysis. Capabilities include auto-population of forms, exportable XML-based reporting. Handles reporting for reporting requirements for PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more.

Trustwave AppScanner – Automated security testing tool for web applications, web services and cloud and mobile apps, from Trustwave Holdings Inc. Available as a cloud-based on-demand service or installed on-premises app. Uses a library of “SmartAttacks,” which are automatically updated weekly. Centralized dashboard instantly displays application risk scores and tracks trends over time, and provides threat prioritizations.

GamaSec – Automated online website vulnerability assessment delivers proactive tests to Web Servers, Web-interfaced Systems, and Web-based Applications. Configurable scan intervals/frequency. Supports a wide variety of HTTP Authentication schemes, common HTTP protocol, BASIC, NTLM with abilities to analyze the broadest web technologies; PHP, ASP.NET, ASP, etc.

Wikto – Web server security assessment tool for windows servers, open source, from SensePost. It’s three main sections are its Back-End miner, Nikto-like functionality, and Googler to obtain additional directories for use by the other two. Includes ability to export results to CSV file

Nikto Scanner – Open source web server scanner from CIRT.net which performs comprehensive tests against web servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated.

HP WebInspect – WebInspect automated security assessment tool for web applications and services, from HP (Formerly SPI Dynamics). Identifies known and unknown vulnerabilities, includes checks that validate proper web server configuration. Capabilities includes discovery of all XML input parameters and parameter manipulation on each XML field looking for vulnerabilities within the service itself. Requires Windows and MSIE.

IBM Security AppScan – Tool suite from Rational/IBM (formerly Watchfire) automates web and mobile application security testing, produces defect analyses, and offers recommendations for fixing detected security flaws. Assessment module can be used by auditors and compliance officers to conduct comprehensive audits, and to validate compliance with security requirements. Includes static code analysis capabilities Includes support for JavaScript, HTML5, Cordova, Java and Objective-C.

Defensics Core Internet Test Suite – Security testing tool from Codenomicon Onc. searches and preemptively eliminates security-related flaws from the implementations that create the backbone of the modern Internet and communication between the networked devices. This includes, but is not limited to, routers, switches, firewalls, desktop and server systems, laptops, PDAs, cell phones and other mobile systems, as well as a large number of various embedded systems. Because several protocols from this category are often tightly coupled with the underlying operating system, serious flaws in handling them may easily result in total system compromises.

SecurityMetrics Vulnerability Scan – Service from SecurityMetrics that analyzes external network devices like servers, websites, firewalls, routers, and more for security vulnerabilities which may lead to interrupted service, data theft or system destruction. Includes instructions to help immediately remedy security problems.

Core Impact Pro – Security testing tool from Core Security Technologies for web apps and other systems. Testing capabilities across network, web, mobile, and wireless. Uses penetration testing techniques to safely identify exposures to critical, emerging threats and trace complex attack paths.

Snort – Open source network intrusion prevention and detection system from Cisco; capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Nessus – Vulnerability scanner from Tenable Network Security with high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks. Free for home users; annual fee for Professional license. Updated continuously. Includes scripting language for writing custom plugins.

Security Center – Security management tool from Tenable Network Security for asset discovery, vulnerability detection, event management and compliance reporting for small and large enterprises. Includes management of vulnerability, compliance, intrusion and log data. Company also provides the Nessus Vulnerability Scanner, and Passive Vulnerability Scanner.

SARA – ‘Security Auditor’s Research Assistant’ Unix-based security analysis tool from Advanced Research Corp. Supports the FBI/SANS Top 20 Consensus; remote self scan and API facilities; plug-in facility for third party apps; SANS/ISTS certified, updated bi-monthly; CVE standards support; based on the SATAN model. Freeware. Also available is ‘Tiger Analytical Research Assistant’ (TARA), an upgrade to the TAMU ‘tiger’ program – a set of scripts that scan a Unix system for security problems.

Qualys Free Security Scans – Several free security scan services from Qualys, Inc. including SANS/FBI Top 20 Vulnerabilities Scan, network security scan, and browser checkup tool.

GFiLANguard – Network vulnerability and port scanner, patch management and network auditing tool from GFI Software. Scans using vulnerability check databases based on OVAL and SANS Top 20, providing thousands of vulnerability assessments.

Qualys Guard – Online service that does remote network security assessments; provides proactive ‘Managed Vulnerability Assessment’, inside and outside the firewall,

SAINT – Security Administrator’s Integrated Network Tool – Security testing tool from SAINT Corporation. An updated and enhanced version of the SATAN network security testing tool. Updated regularly; CVE compatible. Includes DoS testing, reports specify severity levels of problems. Single machine or full network scans. Also available is ‘WebSAINT’ self-guided scanning service, and SAINTbox scanner appliance. Runs on many UNIX flavors.

NMap Network Mapper – Free open source utility for network exploration or security auditing; designed to rapidly scan large networks or single hosts. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and many other characteristics. Runs on most flavors of UNIX, OSX, Win.

Foundstone – Vulnerability management software tools from McAfee/Network Associates can provide comprehensive enterprise vulnerability assessments, remediation information, etc. Available as a hardware appliance, software product, or managed service.

OWASP Security Testing Tools Listing – Listing of commercial, free, and open source security testing tools, source code analyzers, and binary analysis tools via the OWASP (Open Web Application Security Project) site.

Top 125 Security Tools – Listing of ‘top 125’ network security tools from survey by Gordon Lyon/Insecure.org/Sectools.org. (Includes various types of security tools, not just for testing.)