I have been asked a few times recently to tell people what tools I use when I'm testing web applications for security issues.
I always find that a mixture of tools can be used to find potential security issues in applications but to exploit these issues it always seems to be a manual effort. I don't mind that, I get a good feeling when I hack things!
I will list the tools I use along with a short description, I'm not writing this post as a tutorial - if anyone wants tutorials then let me know and I will see what I can do.
My favourite tool would be the
Burp Suite from Portswigger. We have recently purchased a site license at work - I think that says a lot for this tool. Burp Suite offers many different modules that can help you test application security. I like the intruder module the most, this allows me to input the strings I would use in manual tests very quickly and in a few different ways. My test inputs file is nearly 400 different inputs so the intruder module is a lifesaver. The Burp Suite is available as a free or commercial tool, I recommend that anyone interested in web application security testing grabs a copy and has a play with it.
The Burp Suite can also be extended using the IBurpExtender, if any developers reading this want to collaborate on a project then drop me a line. I have a few ideas that I would love to implement using the Burp Extender.
I have recently started playing with the
Exploit Me Firefox plugins and I have been impressed by them. I have put SQL Inject me and XSS me into my testing tool box. The plugins allow you to "point and click" test web applications for XSS and SQL Injection issues. They are quick and efficient and I would recommend them to anyone wanting to test for these issues.
I have recently started to try some fuzz testing tools when I have been testing web applications. This approach has found a lot of bugs in high profile software in the past so I felt it was worth a try.
I had started using
Spike Proxy for fuzzing but if I'm honest I'm not that impressed with the tool. I felt the initial character set that is hardcoded into the tool wasn't as big as I would like. I extended this significantly but I'm still not likely to stick with this tool. I wanted the fuzzer to put random data into fields with random lengths and this tool didn't deliver that for me. Perhaps I'm using it incorrectly, if so drop me a line and enlighten me :-)
So to fulfill my desire for a fuzzing tool I have begun playing with Jmeter for this purpose. I think if I write some Java which has a predefined character set (could even pull from a "random" source - /dev/random?) and an upper and lower length for the input I can use
BeanShell with Jmeter and input this fuzz type data into fields which I submit to the web application. I can't take all of the credit for that idea, if the person who helped with this idea is reading this now then thank you very much! That idea is still very much in the "does it actually work?" stage so I will let you all know how it goes.
Thats my main set of testing tools at the moment but I'm always playing with new things. I have a few tools listed below that I think are going to be squeezing into my testing tool box soon (not all of these are new tools):
Grendel-ScanNiktoWiktoTry them and find out what works for you.
Dave
Posts
