“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.” – Bill Gates
Web application security is for websites, web applications and web services what Information Security, or InfoSec for short, is for information (be it electronic or physical). It takes the principles of application security, an applies them to Internet and Web systems.
Typically, web applications are created using classic programming languages such as PHP or Java, and, with the advent of Web 2.0 and increased information sharing through social media networks, security breaches have been on the rise. Hackers are targeting sites directly, aiming to compromise corporate networks, as well as the end-users accessing the websites.
According to the 2013 Cenzic report, the top 3 web application vulnerabilities are cross-site scripting (XSS), info leakage & session management, and authentication & authorization.
In light of these harrowing statistics, we have compiled a list of 10 efficient and free web application security testing tools, so that you can makes sure your safe and clean website stays that very same way.
Although restricted when compared to it’s paid counterpart, N-Stalker does a bang up job assessing how secure your web applications and web servers are (being founded on the U.S. Patent Registered Technology of Component-oriented Web Application Security Scanning), using a set of security checks that include web server security, backup security and, most importantly, cross-site scripting to inspect up to 100 pages. It is recommended for small infrastructure providers, non-profit organizations and security-conscious individuals.
A really rather versatile tool to have in your “toolbox”, Exploit-Me is actually a suite of tools for addressing several application security needs. It comes in the form of three Firefox plug-ins, each made to test specific web application vulnerabilities. These three plug-ins are XSS-Me, SQL- Inject-Me and Access-Me.
Each one is made under the GNU Public License, which makes them open-source, so updates are constantly available.
3. Netsparker Community Edition
Netsparker Community Edition is the free community edition of the already well established Netsparker web application security tool. It’s an effective help in running SQL injection tests and cross-site scripting tests, boasting false-positive free results, which is a rather bold claim, considering the impact false-positive results have on web application security testing. Add to all that a user-friendly interface, and you’ve got yourself a magnificent “guard dog” for your site.
4. OWASP WebScarab Project
Our previous entry made a point out of being friendly to its users. OWASP WebScarab Project is a serious tool, for serious users. It’s designed for people who can, if not write code themselves, at least have a good understanding of HTTP protocols. A tool in the truest sense of the word.
The OWASP WebScarab Project is a framework which you can use to analyse applications that communicate using HTTP and HTTPS protocols. Being written in Java, it is portable to various types of platform.
It also benefits from a large number of plug-ins aimed at security functionality. Among these plug-ins are an XSS/CRF plug-in that searches for CRLF injection and cross-site scripting vulnerabilities; a Spider plug-in that identifies new URLs on the target site, and fetches them on command and a parameter fuzzer that performs automated substitution of parameter values that are likely to expose incomplete parameter validation, and lead to cross-site scripting and SQL injection vulnerabilities.
Websecurify is, quite simply, a really cool looking concept. After checking out the previous entry’s approach to aesthetics, it comes across as a valuable effort from a team of programmers and designers. If not necessarily user-friendly, it most certainly is pretty to look at.
The concept behind this tool is that you can customize it, adding the features you need, as you need them. The basic features are free, so you will probably go through the lot of them, but if ever the need arises, you can add one of the paid features and still be on-budget.
Wapiti is an open-source, browser-based tool that searches for scripts and forms to inject data in your web applications’ deployed web pages. It’s attacks are based on the Nikto database, and, as such, it’s capable of unearthing vulnerabilities ranging from cross-site scripting and SQL injection, to file handling errors and database injection.
Yet another tool where user-friendliness plays 2nd fiddle, Wfuzz is a web application bruteforcer, that bruteforces your web applications, so as to discover web application vulnerabilities, such as cross-site scripting or SQL injection. It also acts as a fuzzer, so, although intimidating with its DOS-like appearance, it’s worth trying out if your current tool just isn’t cutting it for you.
Unlike the other tools on this list, the x5s is what you might call a “one trick pony”. It only tests for issues that could lead to cross-site scripting, but it does so very well. It test all the POST and GET input parameters on the target application, presenting its findings in a grid display for quick analysis. After this, it auto-injects special characters, such as higher Unicode or Overlong UTF-8 to detect transformations that could lead to cross-site scripting.
Since the tool doesn’t crawl or spider, it requires manual driving, the upside to this being that all complex Web 2.0 communications are unaltered, and you get to see all of the query string parameters, form fields, and JSON parameters happen in real-time.
9. Burp Suite Free Edition
Bearing a slapstick name, Burp Suite Free Edition not only promises to make your work quick and efficient, but also fun. Of course, the free edition has fewer features than the paid one, but it does keep all the essentials, making it a dependable tool for new and experienced users, alike.
We have mentioned Nikto way back up there from where you came from. Although not the stealthiest of tools, Nikto does a good job in aiding you in checking your site for vulnerabilities. It tests for both application and script vulnerabilities in the quickest time possible, but you can try making it a bit more discreet, since it supports LibWhisker’s anti-IDS methods.
That concludes our list of free web application security testing tools. We hope it helps you out, and if there are any tools we missed, be sure to let us know in the comment section bellow.