Web Application Security Testing Tools to Identify Vulnerabilities
Good web vulnerability scanners and related tools can help ensure that you get the most from your scans and avoid hackers. As with many things in life, you get what you pay for when it comes to testing for web security holes. This is why using commercial tools when testing websites and web applications for vulnerabilities is key.
These are some favorite web security testing tools:
Acunetix Web Vulnerability Scanner for all-in-one security testing, including a port scanner, an HTTP sniffer, and an automated SQL injection tool
Firefox Web Developer for manual analysis and manipulation of web pages
You definitely want to use a scanner, because scanners find around half of the issues. Remember that you have to pick up where scanners leave off to truly assess the overall security of your websites and applications. You have to do some manual work not because web vulnerability scanners are faulty, but because poking and prodding web systems simply require good old-fashioned hacker trickery and your favorite web browser.
HTTrack website Copier for mirroring a site for offline inspection
Mirroring is a method of crawling through (also called spidering) a website’s every nook and cranny and downloading publicly accessible pages to your local system.
WebInspect for all-in-one security testing, including an excellent HTTP proxy and HTTP editor and an automated SQL injection tool
You can also use general vulnerability scanners, such as QualysGuard and LanGuard, as well as exploit tools, such as Metasploit, when testing web servers and applications. You can use these tools to find (and exploit) weaknesses that you might not otherwise find with standard web-scanning tools and manual analysis.
Google can be beneficial for rooting through web applications and looking for sensitive information as well. Although these non–application-specific tools can be beneficial, it’s important to know that they won’t drill down as deep as other tools.