When handling sensitive user data, it is important to test the security of your Web application before deploying it to the production environment. There are many tools that can help you speed up this process. In this article, we will mention the most widely used ones.
Open Source vs. Commercial Tools
As with any other type of software, there are both open source and commercial Web security testing tools. They are very similar regarding the features they support. However, larger companies are more inclined towards the commercial solutions, due to ease-of-use, thoroughness of documentation, as well as concerns regarding the latest security patches, future maintenance and legal coverage.
General testing tools are all-in-one solutions that can test all types of vulnerabilities, including, but not limited to, Web application vulnerabilities. They usually also include compliance testing for different standards, such as PCI DSS or ISO standard.
It should be noted that the level of automation among these tools varies greatly. Some of these applications, such as OWASP WebScarab, are developed as a support to manual testing and require a lot of manual configuration, while the others, such as w3af, work as automatic vulnerability scanners and require less interaction with the user.
A wide variety of general testing software is available on the market. Some of the most popular ones include OWASP WebScarab, OWASP ZAP, w3af, Acunetix and IBM AppScan.
Testing for Specific Vulnerabilities
Some of the tools are specialized for testing only one vulnerability (or a group of vulnerabilities).
A brute-force attack is a type of vulnerability that can be exploited by repeatedly trying to guess the correct password. Although the changes for successfully cracking a strong password are close to zero (e.g. it would take billions of years to successfully crack a 15-character password), it is a good idea to conduct the test to see whether a strong password policy has been properly enforced, whether the system is able to detect the attack and whether a brute-force attack could cause a denial-of-service for certain users.
The tools for testing brute-force password cracking will basically simulate an attack, per the specified settings. They can brute-force forms on Web pages, as well as HTTP authentication, FTP, MySQL and other services. Multiple tools are available and choosing which one to use depends on the needs of a particular test, as well as preference of the security professionals.
For example, Medusa can be used to run a brute-force test on basic HTTP authentication from the command line:
medusa -h 192.168.1.1 -u "admin" -P hugewordlist.txt -M http
The -h parameter represents the hostname (IP address or domain name), -u is the username, -P is the location of the password list (one password per line), while the -M parameter represents the module that will be used. Module is the part that tells the program whether you are testing an HTTP authentication, a Web form, an FTP server, etc.
Hydra also works in a similar way. It is worth noting that if you need to test RDP services, ncrack would be the best option.
SQL injection is one of the most common vulnerabilities nowadays. It is caused by outdated Web applications, as well as writing poor code and not following the security best practices. Web application can be easily tested for SQL injection using OWASP SQLiX, an SQL injection scanner by OWASP written in PERL. Other popular SQL injection testing tools are SQLmap and SQLninja. These tools will automatically detect the database type, as well as the best way to exploit the application. All of them support many databases servers (MySQL, PostgreSQL, MSSQL, Oracle and more).
Many tools are specialized in testing the SSL implementation for vulnerabilities. They are usually online services, console applications or GUI applications. Some popular offerings in this area are SSLLabs, SSLScan, TestSSLServer. These tools can provide detailed information about the certificate, test cipher strength and check for vulnerabilities to specific attacks (e.g. POODLE attack).
While these tools can automate the security auditing process and make it more efficient, they are not worth much without a security professional who can interpret the results and make recommendations based on them.