Forum

website security tools

Hello, my name is Alfred. I'm new in here and i found this forum at the internet.

btw, how can i test the security the website?? is there any tools that people are likely to use to test it?? if there are a tools, could anybody tell me the tools name? thanks.

i read the article about the security website in here. http://cuit.columbia.edu/files/cuit/websecuritysoe.pdf

i really need that tools now. anybody can help?

You need to be a member of OWASP to add comments!

Join OWASP

Email me when people reply –

Replies

  • Hi,
    If you are looking for Manual Web application penetration testing, its very important to identify the methodology.

    See Entersoft's methodology at Advance Web Application Testing...https://entersoftsecurity.com/

    If you are looking for automated web app security, Please check the following products.
    Detectify - Stay secure - Go hack yourself!https://detectify.com/
    Check your vulnerabilities on Enrpobe https://enprobe.io/
    Vulnerability Threat Monitoring & Prioritization Platform
    ScanMyServer: Test the security of your website, web server or blog https://scanmyserver.com/


    Different products cover different threat matrices.

    Try the following tools if you have capability to run a WAPT
    • Acunetix
    • Burp
    Other tools are either difficult to configure or costly.
    Entersoft - Award Winning Application Security Company
    Entersoft’s multi-fold security assessment guards your app against the latest and the most lethal of attacks. We help instil a culture of security wi…
  • Hi Josh,

    If that helps, one manual way to analyse the security is to draw the Data FLow Diagram of the website and analyse at different levels what break could be.. just look from hackers eye after drawing DFD to how to break the website..

    ~Arsalan

  • Hi Josh. sorry for the late reply, I just wake up. w3af? okay.. I will googling for it now. btw can w3af generate a report from the result of the scanner?? thanks.. :)

  • Yes, dynamic analysis would allow you to check for SQL Injection and XSS.  Not sure what etc would entail, but probably some etc too.  ;-)  w3af was a project to build a free dynamic application scanner and it was bought by Rapid7.  I believe it's still free, but there's no telling where it will go from here.

  • Hi Josh. Dynamic analysis allow me to check the sql injection, the XSS, and etc?? w3af is a tool to check up the security of website?? i think i dont need the static analysis because im not allowed to see the source code. 

  • Alfred, welcome to OWASP!  There are many different ways to test the security of a website, but it typically breaks down into two categories: 1) Static Analysis and 2) Dynamic Analysis. 

    Static analysis assumes that you have access to the source code and are able to analyze it directly for vulnerabilities at the code level.  There are a few freebie solutions for source code analysis, but they're mostly focused around coding bugs and not specifically security vulnerabilities.  Check out FindBugs or PMD for that.  There's a bunch of companies that provide good not free tools for static analysis as well.  I'm not going to name names in a public forum as inevitably someone will call me out on forgetting something, but I'm happy to take that conversation offline. 

    Dynamic analysis has to do with interacting with the actual running site and looking for vulnerabilities that way.  It could be through some sort of proxy tool (WebScarab, BurpSuite, RatProxy, ZAP) where you manually interact with the portion of the site you are concerned about or through some sort of automated scanning tool that does the interactions for you.  Plenty of paid tools out there for that, but where free tools are concerned, I'd check out w3af.  One thing to note is that none of these tools will find business logic types of vulnerabilities.  By nature, they really only deal with things that can be found by making a request and analyzing the response back.

    Good luck!

This reply was deleted.