Free Web application security testing tools you need to get to know

I've always touted the fact that you need good tools to get good security testing results. By and large, I've found that commercial products tend to provide better results than their freeware and open source counterparts. This seems to be especially important when testing Web applications.

That said, I know budget constraints and time-to-test are often a factor. This is where a handful of free and open source Web application security test tools prove to be useful. The following are tools that should be in your toolkit -- or at least on your radar -- especially if you're not able to justify forking out the money required by commercial alternatives. It may be a little more time-consuming and painful, but in the end you're still going to get good results.

I almost always get my Web application assessments started with a Web site mirroring tool. This type of tool allows you to quickly root out sensitive files on your site that shouldn't be publicly accessible. I've found the HTTrack Website Copier as shown in Figure 1 to be fast and reliable.

Figure 1: HTTrack Website Copier mirroring tool

A complimentary tool that digs into the Google cache searching for sensitive information that's publicly accessible on your site -- at least has been at some point in time -- is Foundstone's SiteDigger. If you prefer UNIX tools, the BackTrack Live CD (see more below) has a good collection of Google-related tools: Goog Mail Enum, Google-Search, Googrape and Gooscan. All of those are very beneficial in maximizing your Google hacking capabilities.

As you get rolling into your testing and want to dig deeper into your Web servers and applications, httprint is useful for determining Web server version information. Likewise for the Netcraft "What's that site running?" site. If you want to root out more, Wikto (shown in Figure 2) and Nikto are good tools to uncover weaknesses that'd be difficult to track down otherwise.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Spotting rich Internet application security flaws with WebGoat Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Software testing tools and frameworks How test managers can shine in agile development: Tutorial, part two VMLogix adds support for testing in the cloud PushToTest taps into the cloud Exploring mobile layout testing, emulators and goals Liz Andrews, Marketing Manager, Altova New tools target software QA, testing: Spring roundup Coverity introduces build analysis tool, new Integrity Center Agile software development tutorial: Agile project management, tools The benefits of exploratory testing in agile environments How to write a test strategy document Software security testing tools Spotting rich Internet application security flaws with WebGoat Adobe ColdFusion websites being compromised Spotting rich Internet application security flaws with WebGoat Attack code targets Microsoft ActiveX zero-day flaw Commonly-overlooked security flaws in rich Internet applications 10 steps to acing Web app security assessments New tools target software QA, testing: Spring roundup Hack maliciously to boost your software's security What is fuzz testing? What are some ways to use fuzz testing? Why the quality assurance department should be involved in testing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary JUnit  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

> [TABLE]

Figure 2: SensePost's Wikto Web vulnerability scanner

Web application authentication hacking may or may not be on your to-do list, but if it is, the best free tool I've found is Brutus as shown in Figure 3.

Figure 3: Brutus Web application password cracker

Brutus performs dictionary password cracking, as many others do. However, it's the only free tool that I'm aware of that also performs brute force password cracking. This can be very handy, as I've found that dictionary cracking is often limited in use.

Once you get into the manual assessment phase of your testing, the tried and true Paros Proxy comes in handy for manipulating HTTP traffic en route. There's also THCSSLProxy, a command-line proxy for testing SSL services. A few other niche tools that are really neat are THCSSLCheck, which determines supported ciphers on Web servers, as well as Absinthe, which is a GUI-based automated SQL injector. Another one I really like is the Web Developer extension for the Firefox browser as shown in Figure 4.

Figure 4: The Firefox Web Developer extension

The Web Developer extension contains tools that you'll likely need to use every time you're testing a Web application, including the following:

These Firefox extension tools provide a great way to poke and prod an application all within one interface.

Finally, many of the Web application security testing tools that I've outlined here are available via the latest version of BackTrack as shown in Figure 5.

Figure 5: BackTrack Live CD's numerous Web application tools

The thing I love about BackTrack is that you can tap into the power of a large portion of the Linux/UNIX-based tools without the hassle of getting Linux or UNIX up and running. Of all the tools in your toolbox, the BackTrack suite should be top priority.

Regardless of whether or not you have to pay for a security testing tool, the overall goal is to have the right tool for the job. These tools do just that. They're specific enough to find the vulnerabilities at the right time without having to spend a dime. Check them out -- you won't regret it.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver@principlelogic.com.