2015-07-07T06:43:00Z

Which is the most comprehensive open source Web Security Testing tool?

it_user265974 - PeerSpot reviewer
  • 6
  • 242
PeerSpot user
8

8 Answers

OS
Consultant
2015-07-07T11:26:02Z
Jul 7, 2015

It depends.

Let me explain. If you are looking to find SQL injection, header injection, directory listing, shell injection, cross site scripting and file inclusion? Or are you looking for file disclosure, inclusion, cross site scripting, CED, CRLF injection, sel injection, xpath injection, weak .htaccess or backup files disclosure?

Also, proxy check is very important. I use several software since I deal with healthcare Apps. So, I don't think one program does it all but if you have the time to do a "cook off" I can recommend the following software:

Grabber
Vega
Zed Attack Proxy
Wapiti (Only Win 32bit)
W3af
WebScarab
Skipfish
Ratproxy
SQLMap
Wfuzz
Grendel-Scan
Watcher
X5S
Arachni

Some of them do the same are repetitive but I think these are the best open source web application security testing tools.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.

I wrote my own solution. Securis. It is customized for healthcare federal regulations only. Let me know if I can help.

Search for a product comparison in Application Security Testing (AST)
it_user158721 - PeerSpot reviewer
Vendor
2015-07-12T11:31:30Z
Jul 12, 2015

We have been looking for a good solution too and still haven't decided yet. But you might benefit from our aproach:
- we didn't rule out closed source from the start. Security is too important to simply ignore that category. There are some good tools available but they come at a cost... (we are considering the folowing candidates: HP Fortify SCA, Acunetix, Netsparker)
- don't look for THE TOOL to do everything but look at the different security aspects to cover. (We differentiate between Dynamic and Static Application Security Testing. Dynamic Application Security Testing is testing the application from the outside it, looking at the application in its running state. Whereas Static Application Security Testing is looking at the sourcecode the application is made of.)
Use comparison material from internet: we use among others Gartners Magic Quadrant reports (http://securityintelligence.com/2014-gartner-magic-quadrant-for-application-security-testing-released-ibm-maintains-position-in-leaders-quadrant/#.VaJPKe8w-70).
The answers provide by others are all fine answers regarding open source and in our research until now we (also) have identified OWASP's Zed Attack Proxy as the prime open source candidate.

KS
Vendor
2015-07-07T13:09:40Z
Jul 7, 2015

ZAP for sure. Maintained by Mozilla.

RS
Real User
Top 5Leaderboard
2015-07-07T11:44:43Z
Jul 7, 2015

also
http://www.gallop.net/pdf/white-papers/Security-Testing-WhitePaper.pdf

RS
Real User
Top 5Leaderboard
2015-07-07T11:42:53Z
Jul 7, 2015

FYI
http://vanets.vuse.vanderbilt.edu/dokuwiki/lib/exe/fetch.php?media=teaching:web-scanner-final.pptx

RS
Real User
Top 5Leaderboard
2015-07-07T11:35:55Z
Jul 7, 2015

w3af only

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST). Updated: March 2024.
765,234 professionals have used our research since 2012.
Vendor
2015-07-07T11:35:17Z
Jul 7, 2015

If you are looking for Web application security testing then I would recommend- OWASP-ZAP(Open Source) and Burp Suite(Licensed with cost as low as 299$ per yr.)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

it_user268092 - PeerSpot reviewer
Vendor
2015-07-07T11:17:56Z
Jul 7, 2015

As you have not indicated what langue the development is done in nor what specific concerns you have, I can only offer a more general recommendation. Start with Owasp. Here is a link to their site:
https://www.owasp.org/index.php/Category:OWASP_Download

They have many decent open source tools for validating various aspects of web security. In addition, they have the top 10, which outlines the most prevalent risks found/exploited currently. Fixing those goes a long way towards imporiving your web security.

Application Security Testing (AST)
Application Security Testing (AST) solutions are used to identify and fix security vulnerabilities in software applications. They can be used at all stages of the software development lifecycle, from development to testing to deployment.
Download Application Security Testing (AST) ReportRead more

Application Security Testing (AST) experts

Prateek Agarwal - PeerSpot reviewer
Cuneyt Gurses - PeerSpot reviewer
Mubarak Arimiyah - PeerSpot reviewer
Nakul Kundaliya - PeerSpot reviewer
Saket Pandey - PeerSpot reviewer
Ashish Upadhyay - PeerSpot reviewer
JA
LD