views:

3007

answers:

14

We have 100s of websites which were developed in asp, .net and java... and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loop holes. Are there any (good) software (paid or free) to do this?

or.. are there any tehnical articles which can help me develop this tool.

+1  A: 

You could consider chorizo

Marc Gear
A: 

Thanks for help Marc.. But I am getting a page not found error! Is it only for me?

Shoban
Can't say for sure, but its definately up for me at the moment
Marc Gear
I would add that it's a scanner, so it might not be suitable for your dev environment
Marc Gear
A: 

I've heard good things about SpiDynamics WebInspect as far as paid solutions go, as well as Nikto (for a free solution) and other open source tools. Nessus is an excellent tool for infrastructure in case you need to check that layer as well. You can pick up a live cd with several tools on it called Nubuntu (Auditor, Helix, or any other security based distribution works too) and then Google up some tutorials for the specific tool. Always, always make sure to scan from the local network though. You run the risk of having yourself blocked by the data center if you scan a box from the WAN without authorization. Lesson learned the hard way. ;)

Abyss Knight
A: 

http://www.nessus.org/nessus/ -- Nessus will help suggests ways to make your servers better. It can't really test custom apps by itself, though I think the plugins are relatively easy to create on your own.

Steve g
A: 

Take a look at Rational App Scan (used to be called Watchfire). Its not free, but has a nice UI, is dead powerful, generates reports (bespoke and against standard compliance frameworks such as Basel2) and I believe you can script it into your CI build.

Andrew Harmel-Law
+34  A: 

There are a couple different directions you can go with automated testing tools for web applications.

First, there are the commercial web scanners, of which HP WebInspect and Rational AppScan are the two most popular. These are "all-in-one", "fire-and-forget" tools that you download and install on an internal Windows desktop and then give a URL to spider your site, scan for well-known vulnerabilities (ie, the things that have hit Bugtraq), and probe for cross-site scripting and SQL injection vulnerabilities.

Second, there are the source-code scanning tools, of which Coverity and Fortify are probably the two best known. These are tools you install on a developer's desktop to process your Java or C# source code and look for well-known patterns of insecure code, like poor input validation.

Finally, there are the penetration test tools. By far the most popular web app penetration testing tool among security professionals is Burp Suite, which you can find at http://www.portswigger.net/proxy. Others include Spike Proxy and OWASP WebScarab. Again, you'll install this on an internal Windows desktop. It will run as an HTTP proxy, and you'll point your browser at it. You'll use your applications as a normal user would, while it records your actions. You can then go back to each individual page or HTTP action and probe it for security problems.

In a complex environment, and especially if you're considering anything DIY, I strongly recommend the penetration testing tools. Here's why:

Commercial web scanners provide a lot of "breadth", along with excellent reporting. However:

  • They tend to miss things, because every application is different.

  • They're expensive (WebInspect starts in the 10's of thousands).

  • You're paying for stuff you don't need (like databases of known bad CGIs from the '90s).

  • They're hard to customize.

  • They can produce noisy results.

Source code scanners are more thorough than web scanners. However:

  • They're even more expensive than the web scanners.

  • They require source code to operate.

  • To be effective, they often require you to annotate your source code (for instance, to pick out input pathways).

  • They have a tendency to produce false positives.

Both commercial scanners and source code scanners have a bad habit of becoming shelfware. Worse, even if they work, their cost is comparable to getting 1 or 2 entire applications audited by a consultancy; if you trust your consultants, you're guaranteed to get better results from them than from the tools.

Penetration testing tools have downsides too:

  • They're much harder to use than fire-and-forget commercial scanners.

  • They assume some expertise in web application vulnerabilities --- you have to know what you're looking for.

  • They produce little or no formal reporting.

On the other hand:

  • They're much, much cheaper --- the best of the lot, Burp Suite, costs only 99EU, and has a free version.

  • They're easy to customize and add to a testing workflow.

  • They're much better at helping you "get to know" your applications from the inside.

Here's something you'd do with a pen-test tool for a basic web application:

  1. Log into the application through the proxy

  2. Create a "hit list" of the major functional areas of the application, and exercise each once.

  3. Use the "spider" tool in your pen-test application to find all the pages and actions and handlers in the application.

  4. For each dynamic page and each HTML form the spider uncovers, use the "fuzzer" tool (Burp calls it an "intruder") to exercise every parameter with invalid inputs. Most fuzzers come with basic test strings that include:

    • SQL metacharacters

    • HTML/Javascript escapes and metacharacters

    • Internationalized variants of these to evade input filters

    • Well-known default form field names and values

    • Well-known directory names, file names, and handler verbs

  5. Spend several hours filtering the resulting errors (a typical fuzz run for one form might generate 1000 of them) looking for suspicious responses.

This is a labor-intensive, "bare-metal" approach. But when your company owns the actual applications, the bare-metal approach pays off, because you can use it to build regression test suites that will run like clockwork at each dev cycle for each app. This is a win for a bunch of reasons:

  • Your security testing will take a predictable amount of time and resources per application, which allows you to budget and triage.

  • Your team will get maximally accurate and thorough results, since your testing is going to be tuned to your applications.

  • It's going to cost less than commercial scanners and less than consultants.

Of course, if you go this route, you're basically turning yourself into a security consultant for your company. I don't think that's a bad thing; if you don't want that expertise, WebInspect or Fortify isn't going to help you much anyways.

tqbf
Excellent reply.
xan
+2  A: 

I know you asked specifically about pentesting tools, but since those have been amply answered (I usually go with a mix of AppScan and trained pentester), I think it's important to point out that pentesting is not the only way to "check for security loopholes", and is often not the most effective.

Source code review tools can provide you with much better visibility into your codebase, and find many flaws that pentesting won't.

These include Fortify and OunceLabs (expensive and for many languages), VisualStudio.NET CodeAnalysis (for .NET and C++, free with VSTS, decent but not great), OWASP's LAPSE for Java (free, decent not great), CheckMarx (not cheap, fanTASTic tool for .NET and Java, but high overhead), and many more.

An important point you must note - (most of) the automated tools do not find all the vulnerabilities, not even close. You can expect the automated tools to find approximately 35-40% of the secbugs that would be found by a professional pentester; the same goes for automated vs. manual source code review.

And of course a proper SDLC (Security Development Lifecycle), including Threat Modeling, Design Review, etc, will help even more...

AviD
A: 

formerly hackersafe McAfee Secure.

Greg Ogle
SO completely and trivially bypassable. Don't bother wasting your time.
AviD
+1  A: 

McAfee Secure is not a solution. The service they provide is a joke.

See below:

http://blogs.zdnet.com/security/?p=1092&tag=rbxccnbzd1
http://blogs.zdnet.com/security/?p=1068&tag=rbxccnbzd1
http://blogs.zdnet.com/security/?p=1114&tag=rbxccnbzd1

woany
these articles are a year and a half old now? are they still valid?
Simon_Weaver
A: 

How about nikto ?

mhd
A: 

For this type of testing you really want to be looking at some type of fuzz tester. SPIKE Proxy is one of a couple of fuzz testers for web apps. It is open source and written in Python. I believe there are a couple of videos from BlackHat or DefCON on using SPIKE out there somewhere, but I'm having difficulty locating them.

There are a couple of high end professional software packages that will do the web app testing and much more. One of the more popular tools would be CoreImpact

If you do plan on going through with the Pen Testing on your own I highly recommend you read through much of the OWASP Project's documentation. Specifically the OWASP Application Security Verification and Testing/Development guides. The mindset you need to thoroughly test your application is a little different than your normal development mindset (not that it SHOULD be different, but it usually is).

marco0009
A: 

what about rat proxy?

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Justin Lawrence
A: 

I can advise you to use a online and free web security scanner.

http://www.zerodayscan.com

maozet
A: 

I know you asked specifically about pentesting tools, but since those have been amply answered (I usually go with a mix of AppScan and trained pentester), I think it's important to point out that pentesting is not the only way to "check for security loopholes", and is often not the most effective.

Source code review tools can provide you with much better visibility into your codebase, and find many flaws that pentesting won't.

These include Fortify and OunceLabs (expensive and for many languages), VisualStudio.NET CodeAnalysis (for .NET and C++, free with VSTS, decent but not great), OWASP's LAPSE for Java (free, decent not great), CheckMarx (not cheap, fanTASTic tool for .NET and Java, but high overhead), and many more.

An important point you must note - (most of) the automated tools do not find all the vulnerabilities, not even close. You can expect the automated tools to find approximately 35-40% of the secbugs that would be found by a professional pentester; the same goes for automated vs. manual source code review.

And of course a proper SDLC (Security Development Lifecycle), including Threat Modeling, Design Review, etc, will help even more...