Websites are getting more and more complex everyday and there are almost no static websites being built.

Today, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.

Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.

So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.

Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).

Netsparker Community Edition (Windows)

This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.

The application can detect SQL Injection + cross-site scripting issues.

Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.

Websecurify (Windows, Linux, Mac OS X)

Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

It can create simple reports (that can be exported into multiple formats) once ran.

The tool is also multilingual and extensible with the add-on support.

Wapiti (Windows, Linux, Mac OS X)

Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data.

It is built with Python and can detect:

  • File handling errors (Local and remote include/require, fopen, readfile…)
  • Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation…)
  • Command execution detection (eval(), system(), passtru()…)

N-Stalker Free Version (Windows)

The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.

It can check up to 100 web pages at once including web server and cross-site scripting checks.

skipfish (Windows, Linux, Mac OS X)

skipfish is a fully automated and active web application security reconnaissance tool.

It is lightweight and pretty fast (can perform 2000 requests/second).

The application has automatic learning capabilities, on-the-fly wordlist creation and form autocompletion.

skipfish comes with low false positive, differential security checks which are capable of spotting a range of subtle flaws, including blind injection vectors.

Scrawlr (Windows)

Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.

It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

Watcher (Windows)

It is a plugin for Fiddler (the awesome HTTP debugging proxy) and works as a passive-analysis tool for HTTP-based web applications.

Watcher runs silently in the background and interact with the web-application to apply 30+ tests (where new ones can be added) while you browse.

It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.

x5s (Windows)

x5s is again a plugin for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability.

It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.

Exploit-Me (Windows, Linux, Mac OS X)

Rather than using a proxy like most of the security testing tools, Exploit-Me directly integrates into Firefox.

It is a set of 3 add-ons:

  • XSS-Me: for testing reflected XSS vulnerabilities
  • SQL Inject Me: for testing SQL injection vulnerabilities
  • Access-Me: for testing access vulnerabilities

They are all lightweight , work while you browse websites and simply inform you by adding extra styles to the objects with vulnerabilities

WebScarab (Windows, Linux, Mac OS X)

WebScarab is actually a proxy to sniff the HTTP(s) traffic and manipulate it.

However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and more.

Acunetix Free Version (Windows)

This is the free and limited-featured version of a paid/pro product.

It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities.

And, if you are looking to improve yourself in the area of web application security and need to play with an application legally, there is DVWA (damn vulnerable web app.) which is there for just this purpose.

十个免费的web应用安全检测工具的更多相关文章

  1. 十个免费的Web压力测试工具

    两天,jnj在本站发布了<如何在低速率网络中测试 Web 应用>,那是测试网络不好的情况.而下面是十个免费的可以用来进行Web的负载/压力测试的工具,这样,你就可以知道你的服务器以及你的W ...

  2. 十个免费的 Web 压力测试工具

    本文列举了是十个免费工具,可以用来进行Web的负载/压力测试的.这样你就可以知道你的服务器以及你的WEB应用能够扛得住多少的并发量,以及网站性能. 0. Grinder –  Grinder是一个开源 ...

  3. Brackets 1.8 开源+免费的Web前端网页文本编辑工具

    Brackets 1.8 开源+免费的Web网页文本编辑工具   -------------->> ---------------------- A modern, open source ...

  4. VOOKI:一款免费的Web应用漏洞扫描工具

    Vooki是一款免费且用户界面友好的Web应用漏扫工具,它可以轻松地为你扫描任何Web应用并查找漏洞.Vooki主要包括三个部分,Web应用扫描器,Rest API扫描器以及报告.Web应用扫描器​V ...

  5. Cocos开发中性能优化工具介绍之Visual Studio内存泄漏检测工具——Visual Leak Detector

    那么在Windows下有什么好的内存泄漏检测工具呢?微软提供Visual Studio开发工具本身没有什么太好的内存泄漏检测功能,我们可以使用第三方工具Visual Leak Detector(以下简 ...

  6. 常用的商业级和免费开源Web漏洞扫描工具

    Scanv 国内著名的商业级在线漏洞扫描.可以长期关注,经常会有免费活动.SCANV具备自动探测发现无主资产.僵尸资产的功能,并对资产进行全生命周期的管理.主动进行网络主机探测.端口探测扫描,硬件特性 ...

  7. 网络设备Web登录检测工具device-phamer

    网络设备Web登录检测工具device-phamer   为了便于管理和维护,大部分网络都提供了Web管理接口.Kali Linux提供了一款专用检测工具device-phamer.该工具可以批量检测 ...

  8. web端安全测试工具

    https://www.cnblogs.com/ios9/p/7692373.html 十大web安全扫描工具 扫描程序可以在帮助造我们造就安全的Web 站点上助一臂之力,也就是说在黑客“黑”你之前, ...

  9. Metasploit是一款开源的安全漏洞检测工具,

    Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,适合于需要核实漏洞的安全专家,同时也适合于强大进攻能力的 ...

随机推荐

  1. select中文字垂直居中解决办法

    我们知道select标签在各个浏览器中的属性和各浏览器的支持各有些不同,从而造成select选择框在各浏览器的显示有不同,下面我们通过对主要 外形CSS属性的支持,打造全兼容select. 我对sel ...

  2. 谈谈__proto__和prototype的区别

    我想javascript中的原型链一直想很多初学javascript的同学感到非常的困惑,今天看了一些文章,结合自己的理解,把原型链这个东西从新来整理一下,如有不对之处,望大家帮忙指出. 首先,我们应 ...

  3. tftp服务器简单安装配置

    tftp服务器最简单安装配置 1.安装tftp-server sudo apt-get install tftpd-hpa sudo apt-get install tftp-hpa(如果不需要客户端 ...

  4. git clone出现的error: The requested URL returned error: 401 Unauthorized

    error: The requested URL returned error: 401 Unauthorized while accessing https://git.oschina.net/.. ...

  5. 利用box-shadow实现伪边框透明到图片

    前阵子突然看到了一个效果,一张图片,有一个边框,但是边框可以透明到图片.直接上图 贴代码 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Tr ...

  6. AndroidStudio非法字符: '\ufeff'解决

    一. 问题解决办法 在昨天,帮助同学把他的Android项目从eclipse迁移到Android Studio上面的时候,编译时,Android Studio报了一个错误, ***.java Erro ...

  7. vim的使用与配置

    vim的简单使用 Content 三种模式 光标移动 查找与替换 删除.复制和粘贴 命令行 块选择 多文件编辑 多窗口显示 中文编码问题 语系转换和 三种模式 vim可以分为一般模式.编辑模式和命令行 ...

  8. 【JavaScript】JS 中 原始字符串 和 HTML 字符转换

    参考资料:http://www.sjyhome.com/javascript/js-html-escape.html JS转换HTML转义符 SJY • 发表于:2013年10月05日 17:04 • ...

  9. excel链接sharepoint 用于 Excel 的 Microsoft Power Query

    https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=39379

  10. DevExpress 关于alertControl 图片显示

    private void button1_Click(object sender, EventArgs e) { AlertInfo info = new AlertInfo("Captio ...