I've always touted the fact that you need good tools to get good security testing results. By and large, I've found that commercial products tend to provide better results than their freeware and open source counterparts. This seems to be especially important when testing Web applications.
That said, I know budget constraints and time-to-test are often a factor. This is where a handful of free and open source Web application security test tools prove to be useful. The following are tools that should be in your toolkit -- or at least on your radar -- especially if you're not able to justify forking out the money required by commercial alternatives. It may be a little more time-consuming and painful, but in the end you're still going to get good results.
I almost always get my Web application assessments started with a Web site mirroring tool. This type of tool allows you to quickly root out sensitive files on your site that shouldn't be publicly accessible. I've found the HTTrack Website Copier as shown in Figure 1 to be fast and reliable.
Figure 1: HTTrack Website Copier mirroring tool
A complimentary tool that digs into the Google cache searching for sensitive information that's publicly accessible on your site -- at least has been at some point in time -- is Foundstone's SiteDigger. If you prefer UNIX tools, the BackTrack Live CD (see more below) has a good collection of Google-related tools: Goog Mail Enum, Google-Search, Googrape and Gooscan. All of those are very beneficial in maximizing your Google hacking capabilities.
As you get rolling into your testing and want to dig deeper into your Web servers and applications, httprint is useful for determining Web server version information. Likewise for the Netcraft "What's that site running?" site. If you want to root out more, Wikto (shown in Figure 2) and Nikto are good tools to uncover weaknesses that'd be difficult to track down otherwise.
Figure 2: SensePost's Wikto Web vulnerability scanner
Web application authentication hacking may or may not be on your to-do list, but if it is, the best free tool I've found is Brutus as shown in Figure 3.
Figure 3: Brutus Web application password cracker
Brutus performs dictionary password cracking, as many others do. However, it's the only free tool that I'm aware of that also performs brute force password cracking. This can be very handy, as I've found that dictionary cracking is often limited in use.
Once you get into the manual assessment phase of your testing, the tried and true Paros Proxy comes in handy for manipulating HTTP traffic en route. There's also THCSSLCheck, which determines supported ciphers on Web servers, as well as Absinthe, which is a GUI-based automated SQL injector. Another one I really like is the Web Developer extension for the Firefox browser as shown in Figure 4.
Figure 4: The Firefox Web Developer extension
The Web Developer extension contains tools that you'll likely need to use every time you're testing a Web application, including the following:
- Cookie manipulation
- Form manipulation
- Java and JavaScript parsing
- Source code viewing
- Code validator
- Hidden field viewer
These Firefox extension tools provide a great way to poke and prod an application all within one interface.
Finally, many of the Web application security testing tools that I've outlined here are available via the latest version of BackTrack as shown in Figure 5.
Figure 5: BackTrack Live CD's numerous Web application tools
The thing I love about BackTrack is that you can tap into the power of a large portion of the Linux/UNIX-based tools without the hassle of getting Linux or UNIX up and running. Of all the tools in your toolbox, the BackTrack suite should be top priority.
Regardless of whether or not you have to pay for a security testing tool, the overall goal is to have the right tool for the job. These tools do just that. They're specific enough to find the vulnerabilities at the right time without having to spend a dime. Check them out -- you won't regret it.
-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver@principlelogic.com.
