Free Web Application Security Test ToolsApplication Security

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Application Security Free Web Application Security Test Tools

This topic contains 27 replies, has 17 voices, and was last updated by  cybermo 1 year, 11 months ago.

Viewing 20 posts - 1 through 20 (of 28 total)
  • Author
    Posts
  • #73931

    jadenturner
    Participant

    This is just one of the many lists of tools I use – this list is specific to free opensource web application security test tools. More to come

    Open Source and Free Web Application Testing Tools

    BeEF (Browser Exploitation Framework) http://beefproject.com/ – It detects application weakness using browser vulnerabilities. It uses client-side attack vectors to verify security of an application. It can issue browser commands like redirection, changing URLs, generating dialogue boxes etc.

    BURP Suite – https://portswigger.net/ Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

    Google Nogotofail – https://github.com/google/nogotofail It is a network traffic security testing tool. It checks application for known TLS/SSL vulnerabilities and misconfigurations. It scans SSL/TLS encrypted connections and checks whether they are vulnerable to man-in-the-middle (MiTM) attacks. It can be set up as a router, VPN server or proxy server.

    Grendel-Scan – https://sourceforge.net/projects/grendel/ Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests

    Iron Wasp – https://ironwasp.org/ It is a GUI based powerful scanning tool which can check over 25 kinds of web vulnerabilities. It can detect false positives and false negatives. It is built on Python and Ruby and generates HTML and RTF reports.

    LAPSE+ – https://www.owasp.org/index.php/OWASP_LAPSE_Project Lapse+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher.

    Mantra Security Framework – http://www.getmantra.com/ Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese – Simplified, Chinese – Traditional, English, French, Portuguese, Russian, Spanish and Turkish

    Acunetix Security Scanner – http://www.acunetix.com/ Acunetix has two Scanners. Web Vulnerability Scannerand Network Security Scanner You can either download for a 14 day trial or run a Free Network Security Scan from the Cloud

    Pantera Web Assessment Studio Project – https://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.

    Sprajax – https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project Sprajax is an open source black box scanner for AJAX-enabled application

    SWF Intruder – https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.

    SWF Scan – No longer available on opensource – acquired by HP – no updates on status – you can find old versions if you search.

    Vega – https://subgraph.com/vega/ It is a vulnerability scanning and testing tool written in Java. It works with OS X, Linux and Windows platforms. It is GUI enabled and includes an automated scanner and an intercepting proxy. It can detect web application vulnerabilities like SQL injection, header injection, cross site scripting etc. It can be extended through a javascript API.

    WAP Web Application Protection – http://awap.sourceforge.net/ WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source code.

    WebScarab NG – https://www.owasp.org/index.php/WebScarab_Getting_Started WebScarab is a framework for analizing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins. There is a new Next Generation version with an easier UI and session information is now written in a database instead of individual files.

    Web Server Security Test – https://geekflare.com/online-scan-website-security-vulnerabilities/ Test your web server configuration, web application cookies, and HTTP headers for security and compliance with best-practices, such as OWASP:

    WebTesting Environment – https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.

    WebStretch – https://sourceforge.net/projects/webstretch/ Enables a user to view & alter all aspects of communications with a web site via a proxy. Primarily used for security based penetration testing of web sites, it can also be used for debugging during development. Seen as part of a hacker toolkit

    Watobo – http://watobo.sourceforge.net/index.html WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. Perform vulnerability checks out of the box

    ZED Attack Proxy (ZAP) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project It was developed by AWASP and is available for Windows, Unix/Linux and Macintosh platforms. It has high ease of use. It can be used as a scanner or to intercept a proxy to manually test a webpage. Its key features are traditional and AJAX spiders, Fuzzer, Web socket support and a REST based API the box and has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.

    #73954

    t13ru
    Participant

    Nice post, you forgot to mention:
    1) Arachni

    Home


    2) Curl
    https://curl.haxx.se/
    3) Python
    https://www.python.org/
    Beginners might leverage cybrary course ond literature like Python Web Penetration Testing Cookbook.

    I like those for easy and friendly CLI interfaces and for freedom these give me to adjust my tests to my findings in cyber threat arena.

    #74005

    jadenturner
    Participant

    Thank you I will add it to my list. Please connect with me on LinkedIn as well

    #74051

    jadenturner
    Participant

    I forgot a few Netsparker Free Edition
    WebSecurify
    N-Stalker Free Edition
    Skipfish
    Grabber
    WAPITI
    W3af
    Ratproxy

    #74507

    techmatt
    Participant

    That’s great info I had never heard of most of them ! Learn something new everyday !

    #74779

    Scofield
    Participant

    Helpful

    #76004

    iulianbrinzoi
    Participant

    try Kaly!

    #76254

    jadenturner
    Participant
    #77089

    cybermo
    Participant

    Very useful.

    #77496

    jadenturner
    Participant

    Thanks!

    #78102

    toxicptr
    Participant

    Also try The Samurai Web Testing Framework (http://samurai.inguardians.com/). It’s a distro dedicated to webapp security.

    #78144

    cybermo
    Participant

    Tks

    #78798

    MD Khurshid Alam
    Participant

    If you are a professional working for an organization,as pentester, Now if want to use one of web application security tool among your given list, and want to put it in his report what you thing what will happen, going to be
    accepted or fully rejected?????

    #79173

    812teck
    Participant

    Thanks

    #84148

    ashutoshab
    Participant

    thanks for the quick list jadenturner, it will really help in the future.

    #84181

    uk2newbie
    Participant

    Thanks for the list – as that is indeed very comprehensive.

    #84640

    812teck
    Participant

    ParrotOS Security distro

    #84670

    h4shm0an
    Participant

    Thanks for this ..

    #84921

    gfsm
    Participant

    Hi Jade,

    Interesting post, thanks for sharing ! Gonna try some of them i never heard before !

    #85084

    Vladimir Stefanovic
    Participant

    Thanks for sharing, very useful.

Viewing 20 posts - 1 through 20 (of 28 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel