Which is the most comprehensive open source Web Security Testing tool?

8

Any feedback based on your experiences would be helpful. Thanks.

Anonymous avatar x30
Guest
As seen in
Logosasseenin

8 Answers

Add am
Andries MeskenConsultant

We have been looking for a good solution too and still haven't decided yet. But you might benefit from our aproach:
- we didn't rule out closed source from the start. Security is too important to simply ignore that category. There are some good tools available but they come at a cost... (we are considering the folowing candidates: HP Fortify SCA, Acunetix, Netsparker)
- don't look for THE TOOL to do everything but look at the different security aspects to cover. (We differentiate between Dynamic and Static Application Security Testing. Dynamic Application Security Testing is testing the application from the outside it, looking at the application in its running state. Whereas Static Application Security Testing is looking at the sourcecode the application is made of.)
Use comparison material from internet: we use among others Gartners Magic Quadrant reports (http://securityintelligence.com/2014-gartner-magic-quadrant-for-application-security-testing-released-ibm-maintains-position-in-leaders-quadrant/#.VaJPKe8w-70).
The answers provide by others are all fine answers regarding open source and in our research until now we (also) have identified OWASP's Zed Attack Proxy as the prime open source candidate.

Like (0)12 July 15
446203ac 0363 4d53 89df 38cfa8c88a41 avatar

ZAP for sure. Maintained by Mozilla.

Like (0)07 July 15
Picture ravi suvvari
Ravi SuvvariReal UserTOP 5POPULAR
Like (0)07 July 15
Picture ravi suvvari
Ravi SuvvariReal UserTOP 5POPULAR

w3af only

Like (0)07 July 15
Anonymous avatar x30

If you are looking for Web application security testing then I would recommend- OWASP-ZAP(Open Source) and Burp Suite(Licensed with cost as low as 299$ per yr.)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Like (0)07 July 15
Omar sanchez mr tech avatar 1434666108?1434666106
Omar Sánchez (Mr.Tech)ConsultantTOP 10POPULAR

It depends.

Let me explain. If you are looking to find SQL injection, header injection, directory listing, shell injection, cross site scripting and file inclusion? Or are you looking for file disclosure, inclusion, cross site scripting, CED, CRLF injection, sel injection, xpath injection, weak .htaccess or backup files disclosure?

Also, proxy check is very important. I use several software since I deal with healthcare Apps. So, I don't think one program does it all but if you have the time to do a "cook off" I can recommend the following software:

Grabber
Vega
Zed Attack Proxy
Wapiti (Only Win 32bit)
W3af
WebScarab
Skipfish
Ratproxy
SQLMap
Wfuzz
Grendel-Scan
Watcher
X5S
Arachni

Some of them do the same are repetitive but I think these are the best open source web application security testing tools.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.

I wrote my own solution. Securis. It is customized for healthcare federal regulations only. Let me know if I can help.

Like (2)07 July 15
97818ea2 eb22 422f 98ca cdb937781103 avatar?1436267704

As you have not indicated what langue the development is done in nor what specific concerns you have, I can only offer a more general recommendation. Start with Owasp. Here is a link to their site:
https://www.owasp.org/index.php/Category:OWASP_Download

They have many decent open source tools for validating various aspects of web security. In addition, they have the top 10, which outlines the most prevalent risks found/exploited currently. Fixing those goes a long way towards imporiving your web security.

Like (0)07 July 15
As seen in
Logosasseenin

Sign Up with Email