Nowadays websites are getting more complex, it has never been easy for webmasters and bloggers to ensure their site 100% safe from security threats. Fortunately there are some free web-based tools out there, helping you to scan your site for defects and vulnerabilities.
There is a saying that goes: “prevention is better than cure”, we, as a serious webmaster should regularly monitor the health level of our site and identify any possible security loophole. In today’s post, we’ve gathered 23 really useful web application security tools for website owner like you. Just give them a try and share your experience with us in the comments below.
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active security checks. The report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Acunetix is a cross site scripting scanner that automatically checks your web applications for XSS, SQL injection and other vulnerabilities.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Netsparker Community Edition
This free web vulnerability scanner scans your website to detect SQL injection and XSS issues in different back-end databases with high accuracy and without any false-positives.
Websecurify is another web application security testing platform designed to provide the combination of automatic and manual vulnerability testing technologies. Some of its key features include easy-to-use user interface, built-in internationalization support, easily extensible with add-ons and plugins, manual testing tools and more.
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches.
Exploit-Me is a suite of Firefox web application security testing tools (XSS-Me, SQL Inject-Me and Access-Me) designed to be lightweight and easy to use.
Paros is another web application security assessment tool. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
OWASP WebScarab Project
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
OWASP WebGoat Project
WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
BFBTester is great for doing quick, proactive, security checks of binary programs. It performs checks for single and multiple argument command line overflows and environment variable overflows.
Webstretch enables a user to view and alter all aspects of communications with a web site via a proxy. It primarily used for security based penetration testing of websites. It can also be used for debugging during development.
Sqlninja is a tool targeted to exploit SQL injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment.
N-Stalker (Free Edition)
This web application security scanner provides you a set of free web security assessment checks to enhance the overall security of your web server infrastructure, using its complete web attack signature database. It is useful to identify security problems and weaknesses on your both local and remote web servers.
Wapiti is a web application vulnerability scanner that enables you to audit the security of your web applications. The free security auditor performs “black-box” scans, i.e. it does not study the source code of the application but it will scan the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Some of the vulnerabilities can be detected by Wapiti include file handling errors, database injections, XSS injection, LDAP injection, command execution detection as well as CRLF injection.
X5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving.
Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers.
SQLInjector uses inference techniques to extract data and determine the backend database server.
Spike is the tool of choice for professionals. While it requires a strong knowledge of C to use, it produces results second to none in the field. Spike is available for the Linux platform only.
Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly.
Babel Enterprise provides a security dashboard to assist you hardening your system showing the historical risk. It generates reports, either in HTML or PDF with the security level of a system, compliances, domains, assets, etc.