8 Open source security testing tools to test your website

If security incidents like Heartbleed, Apple gotofail flaw, POODLE attack have taught us anything, it is that web security cannot be taken lightly and even the best of us are not safe from it. Web securitytesting tools are useful in proactively detecting application vulnerabilities and safeguarding websites against attacks.

Here are 8 open source tools that are popular among security testers:

•  Vega – It is a vulnerability scanning and testing tool written in Java. It works with OS X, Linux and Windows platforms. It is GUI enabled and includes an automated scanner and an intercepting proxy. It can detect web application vulnerabilities like SQL injection, header injection, cross site scripting etc. It can be extended through a javascript API.

https://subgraph.com/vega/

• ZED Attack Proxy (ZAP) – It was developed by AWASP and is available for Windows, Unix/Linux and Macintosh platforms. It has high ease of use. It can be used as a scanner or to intercept a proxy to manually test a webpage. Its key features are traditional and AJAX spiders, Fuzzer, Web socket support and a REST based API

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

•  Wapiti – It performs a blackbox scan and injects payloads to check if a script is vulnerable. It supports both GET and POSTHTTP attack methods. It detects vulnerabilities like file Disclosure, file inclusion, cross Site Scripting (XSS), weak .htaccess configuration etc.

http://wapiti.sourceforge.net/

•  W3af – It is a web application audit and attack framework that is effective against over 200 vulnerabilities. It has a GUI with expert tools which can be used to send HTTP request and cluster HTTP responses. If a website is protected, it can use authentication modules to scan them. Output can be logged into a console, a file or sent via email.

http://w3af.org/

•  Iron Wasp – It is a GUI based powerful scanning tool which can check over 25 kinds of web vulnerabilities. It can detect false positives and false negatives. It is built on Python and Ruby and generates HTML and RTF reports.

https://ironwasp.org/

•  SQLMap – It detects SQL injection vulnerability in a website database. It can be used on a wide range of databases and supports 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band. It can directly connect to the database without using an SQL injection and has great database fingerprinting and enumeration features.

http://sqlmap.org/

• Google Nogotofail – It is a network traffic security testing tool. It checks application for known TLS/SSL vulnerabilities and mis-configurations. It scans SSL/TLS encrypted connections and checks whether they are vulnerable to man-in-the-middle (MiTM) attacks. It can be set up as a router, VPN server or proxy server.

https://github.com/google/nogotofail

•  BeEF (Browser Exploitation Framework) – It detects application weakness using browser vulnerabilities. It uses client-side attack vectors to verify security of an application. It can issue browser commands like redirection, changing URLs, generating dialogue boxes etc.

http://beefproject.com/

Read about the different types of security testing and tools that enable those testing in Gallop’s Whitepaper on Security Testing Tools.

Firing Range – Latest Open Source testbed from Google to evaluate Security Testing tools

And here comes Firing Range!

Google's 'Firing Range' is a step towards securing web applications against hacking. Released in November 2014, it is an open source Java application built on Google App Engine which provides a test ground for testing the effectiveness of security test tools. And it contains a wide range of XSS (Cross Site Scripting) and other web vulnerabilities which are helpful to ‘test’ security testing tools. 

Why do we need a testbed at all? Testbeds are used by Securitytesting tool vendors who want to create perfect test tools which are ready to test all vulnerabilities. And the only way to ensure test tools are more and more accurate is to test the tool itself against a testbed full of vulnerabilities - a synthetic testbed to both test current capabilities of the tool & set goals for what is needed to catch next.

Multiple testbeds similar to Google’s Firing Range are also available which can be leveraged to evaluate the effectiveness of a security testing/assessment tool. Some of them are OWASP WebGoat, OWASP Broken Web Applications Project (OWASPBWA), OWASP Hackademic, Damn Vulnerable Web Application (DVWA), Mutillidae and Metasploitable.

How does Google Firing Range benefit businesses?

As websites get more dynamic and complex, they have become more vulnerable to cyber-attacks. A report from Centre for Strategic and International Studies (CSIS) puts the average cost to global economy from cyber attacks at approximately $400bn. Businesses stand to face millions of dollars in penalties when sensitive information like credit card details, social security numbers etc. fall into the hands of hackers. The associated loss of goodwill and trust could take years to regain. 

• Major companies like Sony Entertainment, eBay, Snapchat and Apple iCloud became recent targets of hacking. 
• The security bug Heartbleed, impacting over 66% of websites, remained undetected for 2 years exposing user login details to hackers.

The above shows hacking is rampant and bugs can be very hard to detect.

Firing Range attempts to increase the chances of detecting bugs and other vulnerabilities in the web application by enabling efficient security testing tools. It provides a detailed testbed which Web Application Vulnerability Scanners can use to detect vulnerability in the website.  Its biggest advantage is it takes care of web vulnerabilities due to XSS. According to Claudio Criscione, security engineer at Google, XSS bugs represent 70% of all vulnerabilities detected at Google.

Firing Range is an open source code. Developers are free to try it, build upon it and give suggestions to improve the tool. It brings the advantage of Google's rich experience in web security. 

As companies strive to attract customers through innovative websites, they cannot afford to ignore the need to ensure their customers a safe web experience. Partnering with a third party that has expertise in evaluating security testing/assessment tools can be helpful in strengthening and increasing the effectiveness of the tool. Gallop's Security Testing CoE will undertake the rigorous process of evaluating the Security Assessment tool, leveraging not only Google’s Firing Range but also similar testbeds like OWASP WebGoat, OWASP Broken Web Applications Project (OWASPBWA), Damn Vulnerable Web Application (DVWA), Mutillidae, OWASP Hackademic, Metasploitable.

Gallop Solutions excels in providing software security testingservices using proprietary test accelerators and expertise in world’s leading test tools. With partnerships with these leading security test tool vendors, clients get to work with trained and certified test professionals at Gallop. If you have an application which needs to be security-tested, leverage the benefits of our pre-built security test framework which accelerates your test cycle while assuring quality. Drop us a line and we would be glad to assist.