“Opportunity is missed by most people because it is dressed and looks like work.”
– Thomas Edison

The IEEE Security & Privacy magazine had an article, “Web Application Security Assessment Tools.” The article provided a nice listing of tools used for the different areas of securing web applications. To give you an idea of how vulnerable web services are being taken advantage of please check out the Web Hacking Incident Database. For a hands on demonstration, there is a video over on YouTube that demonstrates in just over three minutes a Cross-Site Scripting (XSS) vulnerability on FaceBook. As we implement web 2.0 technologies, security should be of paramount concern. Insecure Magazine #13 has an article “Social engineering, social networking services: a LinkedIn example” by Nitesh Dhanjani. Nitesh makes the point that social network websites can be incredibly valuable targets for conducting personal reconnaissance and carrying out identity theft. Over on SecurityMonks, under the Presentation page, you can find many presentations on hacking through web services. Dafydd Stuttard and Marcus Pinto, the authors of “The Web Application Hacker’s Handbook“, have made the tools mentioned in their book available. Joel Scambray, Mike Shema, and Caleb Sima have created a web hacking tool page from the tools discussed in their book, “Hacking Exposed Web Applications, 2nd Ed.” All those tool links are pulled together and included below.

There is no silver bullet. Opportunities are made by putting in the time and doing the work. The below tools give the security professional a good starting point in evaluating web security.

Tools

Source-code analyzers

LIFE-CYCLE PHASE: Development, Testing, Predeployment

REQUIRED SKILL LEVEL: A senior developer or architect should lead the scanning effort and determine remediation strategies for any potential threats discovered in the code.

Commercial

• Secure Software CodeAssure
• Ounce Labs Prexis
• Fortify Software Source Code Analysis Suite
• Klocwork K7
• Coverity Prevent/Extend
• Compuware DevPartner SecurityChecker

Free/Open Source

• Rough Auditing Tool for Security (RATS)
• FlawFinder
• FindBugs
• Split
• FxCop
• Boon

Web application (black-box) scanners

LIFE-CYCLE PHASE: Predeployment, Postdeployment

REQUIRED SKILL LEVEL: Typically most useful to security auditors rather than developers. While usually point-and-click, these tools often have intrusive checks that could crash or cause a denial of service. It is critical that operators tread lightly.

Commercial

• SPI Dynamics WebInspect
• Sanctum AppScan

Free/open source

• OWASP WebScarab
• OWASP FOSBBWAS
• OWASP CAL9000
• OWASP Pantera
• Nikto
• Wikto
• Spike
• Burp Suite — created by PortSwigger. Billy Rios of xs-sniper.com says of Burp Suite “my favorite tool for web application assessments.”
• Achilles
• N-Stalker NStealth Free Edition

Browser Extensions

Free/open source
Firefox

• LiveHTTPHeaders
• Tamper Data
• FoxyProxy
• SwitchProxy
• AddNEditCookies
• CookieWatcher
• Firefox Toolbar
• Modify Headers

Internet Explorer

• TamperIE
• HttpWatch
• IEWatch
• IE Headers
• IE Developer Toolbar
• IE 5 Powertoys for WebDevs
• Internet Explorer Developer Toolbar

Database

LIFE-CYCLE PHASE: Testing, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: Typically requires the database administrator or developer to run because many of their findings pertain to database configuration and hence require access beyond the data.

Commercial

• Application Security Inc. AppDetective
• Shadow Database Scanner (Safety Lab)

Free/open source

• MetaCortex
• TNS Listener tool
• Toad for Oracle

Debuggers/Decompilers

LIFE-CYCLE PHASE: Testing, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: Although easy to use, understanding the tool;s results require the highest skill level of any in the list. To be effective, requires a skilled hacker or security professional with in-depth knowledge of assembly programming and the underlying hardware.

Commercial

• BugScan with IDAPro

Free/open source

• FxCop
• BugScam
• Jad
• Jode
• JSwat
• COMRaider
• .NET Reflector
• Flasm
• Flare

Runtime analysis tools

LIFE-CYCLE PHASE: Development, Testing, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: Because many of these tools aim to make it easy to find runtime flaws, most people can use them.

Commercial

• Compuware BoundsChecker

Free/open source

• Foundstone .NETMon
• CLR Profiler
• NProf
• Process Monitor

Configuration analysis tools

LIFE-CYCLE PHASE: Development, Testing, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: While using these tools is not difficult, analyzing the results and implementing mitigation strategies often require a developer and a system administrator.

Commercial

• Desaware CAS/Tester

Free/Open Source

• Foundstone SSLDigger
• PermCalc

Proxies tools

LIFE-CYCLE PHASE: Testing, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: These tools typically require minimal configuration and can be thrown into use almost immediately. However, effectively using Web proxies requires in-depth knowledge of Web application hacking techniques, making these tools more useful for security testers than for developers.

Free/Open Source

• Paros
• Fiddler
• OWASP WebScarab
• BURP Proxy – See Burp Suite below.
• Achilles
• Odysseus
• Webstretch

Miscellaneous tools

LIFE-CYCLE PHASE: Development, Predeployment, Postdeployment

REQUIRED SKILL LEVEL: These tools vary in their ease of use. Some, such as Brutus, are point-and-click, while others, such as unit-testing frameworks, require significant development effort.

Commercial

• Visual Studio Team System (stress and Web UI testing tools)
• Source Insight

Free/open source

• Foundstone WS-Digger
• Foundstone SiteDigger
• PREfast
• NUnit
• JUnit
• HTTPUnit
• OWASP WSFuzzer
• Stompy
• HTTPring
• THCSSLCheck

Specific Vulnerabilities

Free/open source

• AJAX: OWASP SPRAJAX

SQL Injections

• OWASP SQLiX
• Sqlninja
• Sqlmap
• Absinthe
• SQLInjector
• SQL Power Injector by Francois Larouche
• Bobcat
• NGS Software database tools

Brute Force Password

• THX Hydra
• John the Ripper
• Brutus
• Cain & Abel

HTTP Methods

• NetCat

Buffer Overflow

• OllyDbg
• Spike
• Brute Force Binary (BFB) Tester
• Metasploit

Cross-Site Scripting (XSS)

• RSnake’s XSS Cheat Sheet
• XSS-Proxy

Googling

Free/open source

• SiteDigger

Acceptance Testing Tools: Validate Functionality

Free/open source

• WATIR – A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.
• HtmlUnit - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.
• jWebUnit – A Java based meta-framework that uses htmlunit or selenium as the testing engine.
• Canoo Webtest – An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.
• HttpUnit – One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
• Watij – A Java implementation of WATIR. Windows only because it uses IE for it’s tests (Mozilla integration is in the works).
• Solex – An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
• Selenium – JavaScript based testing framework, cross-platform and provides a GUI for creating tests. Mature and popular tool, but the use of JavaScript could hamper certain security tests.