Are there any tools you recommend for security testing your web applications?
I have used WebScarab from OWASP, but find it a bit difficult and unwieldy to use.
Is there anything else you would suggest using?
A:
I'd suggest using manual inspection with simple string search tools like findstr. Here is a great resource of manual security inspection for asp.net: http://msdn.microsoft.com/en-us/library/ms998364.aspx Or you can jump straight to the security questions that guide your way to finding security vulnerabilities: http://msdn.microsoft.com/en-us/library/ms998375.aspx I've got a summary of string search techniques here: http://blogs.msdn.com/ace_team/archive/2008/07/24/security-code-review-string-search-patterns-for-finding-vulnerabilities-in-asp-net-web-application.aspx
+3
A:
Instead of WebScarab, try Fiddler proxy (http://www.fiddlertool.com). A lot more comfortable.
Other than that, "security testing" is a very wide term.
At the very least, you have:
- Penetration testing - I use Appscan, many others.
- Source Code Review / Static Analysis - Fortify is considered one of the best, I fell in love with Checkmarx (but it requires a security guy)... More information on your specific technology/language would help give you more targeted answers.
- There are other types of "security testing", but I'm not familiar with other automatic tools for those types.
- Pursuant to the last point, and more advanced testing of the first two types (PT/CR), manual testing by an expert is really the best (if not the most cost-effective).
AviD
2008-09-22 11:57:54
A:
I work for a company that does web app penetration testing as part of it's business. We use many different tools. Some are one off tools in Ruby for specific projects, or in house developed frameworks or proxies (again Ruby). Most of our web app penetration testing is done using webscarab, burpsuite or paros proxy. They all have some sort of logging functionality, a decent amount of power and a drawback or two.
I've actually found webscarab to be the easiest to use. But, it doesn't handle VIEWSTATE or do much for searching. We've actually found data in VIEWSTATE that shouldn't be there, so whenever we see them we tend to switch to a different proxy. Burpsuite is my next choice. It does handle VIEWSTATE but the interface takes a lot of getting used to and its output while technically more complete - it keeps the original and modified requests/responses - is harder to use.
Unfortunately, the answer to you question is slightly more complicated than just a good proxy. There is more to it than just picking up a proxy or a scanner and letting them run. A person has to verify anything the tool finds and there are somethings nothing short of a person will find.
tqbf has a good explanation of this here.
tduehr
2008-09-22 14:35:28
A:
Can some one please give some details on how to use nikto. I have installed perl and nikto and tried testing for a website.
It would be great if i would get more information on how to explore more using nikto. Thanks in advance.
Thats another question..
Cherian
2009-06-10 04:17:56
+1
A:
These are all for pen testing web apps
- curl - commandline tool to explore
- nikto/wikto - scanner for vulns
- w3af - Have heard great things haven't tried it much
- sqlmap - automated sql injection
- WebDeveloper and firebug - firefox extensions
- Twill and Selenium with your own test cases http://ha.ckers.org/xss.html
Akash Mahajan
2009-06-10 06:43:09