8 Open source security testing tools to test your website

Listen on the go!

If security incidents like Heartbleed, Apple gotofail flaw, POODLE attack have taught us anything, it is that web security cannot be taken lightly and even the best of us are not safe from it. Web security testing tools are useful in proactively detecting application vulnerabilities and safeguarding websites against attacks.

Here are 8 open source tools that are popular among security testers:

  •  Vega – It is a vulnerability scanning and testing tool written in Java. It works with OS X, Linux and Windows platforms. It is GUI enabled and includes an automated scanner and an intercepting proxy. It can detect web application vulnerabilities like SQL injection, header injection, cross site scripting etc. It can be extended through a javascript API.

https://subgraph.com/vega/

  • ZED Attack Proxy (ZAP) – It was developed by AWASP and is available for Windows, Unix/Linux and Macintosh platforms. It has high ease of use. It can be used as a scanner or to intercept a proxy to manually test a webpage. Its key features are traditional and AJAX spiders, Fuzzer, Web socket support and a REST based API

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  •  Wapiti – It performs a blackbox scan and injects payloads to check if a script is vulnerable. It supports both GET and POSTHTTP attack methods. It detects vulnerabilities like file Disclosure, file inclusion, cross Site Scripting (XSS), weak .htaccess configuration etc.

http://wapiti.sourceforge.net/

  •  W3af – It is a web application audit and attack framework that is effective against over 200 vulnerabilities. It has a GUI with expert tools which can be used to send HTTP request and cluster HTTP responses. If a website is protected, it can use authentication modules to scan them. Output can be logged into a console, a file or sent via email.

http://w3af.org/

  •  Iron Wasp – It is a GUI based powerful scanning tool which can check over 25 kinds of web vulnerabilities. It can detect false positives and false negatives. It is built on Python and Ruby and generates HTML and RTF reports.

https://ironwasp.org/

  •  SQLMap – It detects SQL injection vulnerability in a website database. It can be used on a wide range of databases and supports 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band. It can directly connect to the database without using an SQL injection and has great database fingerprinting and enumeration features.

http://sqlmap.org/

  • Google Nogotofail – It is a network traffic security testing tool. It checks application for known TLS/SSL vulnerabilities and mis-configurations. It scans SSL/TLS encrypted connections and checks whether they are vulnerable to man-in-the-middle (MiTM) attacks. It can be set up as a router, VPN server or proxy server.

https://github.com/google/nogotofail

  •  BeEF (Browser Exploitation Framework) – It detects application weakness using browser vulnerabilities. It uses client-side attack vectors to verify security of an application. It can issue browser commands like redirection, changing URLs, generating dialogue boxes etc.

http://beefproject.com/

Read about the different types of security testing and tools that enable those testing in Cigniti’s Whitepaper on Security Testing Tools.