Websites are getting more and more complex everyday and there are almost no static websites being built.

Today, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.

Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.

So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.

Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).

Netsparker Community Edition (Windows)

This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.

The application can detect SQL Injection + cross-site scripting issues.

Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.

Websecurify (Windows, Linux, Mac OS X)

Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

It can create simple reports (that can be exported into multiple formats) once ran.

The tool is also multilingual and extensible with the add-on support.

Wapiti (Windows, Linux, Mac OS X)

Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data.

It is built with Python and can detect:

  • File handling errors (Local and remote include/require, fopen, readfile…)
  • Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation…)
  • Command execution detection (eval(), system(), passtru()…)

N-Stalker Free Version (Windows)

The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.

It can check up to 100 web pages at once including web server and cross-site scripting checks.

skipfish (Windows, Linux, Mac OS X)

skipfish is a fully automated and active web application security reconnaissance tool.

It is lightweight and pretty fast (can perform 2000 requests/second).

The application has automatic learning capabilities, on-the-fly wordlist creation and form autocompletion.

skipfish comes with low false positive, differential security checks which are capable of spotting a range of subtle flaws, including blind injection vectors.

Scrawlr (Windows)

Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.

It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

Watcher (Windows)

It is a plugin for Fiddler (the awesome HTTP debugging proxy) and works as a passive-analysis tool for HTTP-based web applications.

Watcher runs silently in the background and interact with the web-application to apply 30+ tests (where new ones can be added) while you browse.

It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.

x5s (Windows)

x5s is again a plugin for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability.

It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.

Exploit-Me (Windows, Linux, Mac OS X)

Rather than using a proxy like most of the security testing tools, Exploit-Me directly integrates into Firefox.

It is a set of 3 add-ons:

  • XSS-Me: for testing reflected XSS vulnerabilities
  • SQL Inject Me: for testing SQL injection vulnerabilities
  • Access-Me: for testing access vulnerabilities

They are all lightweight , work while you browse websites and simply inform you by adding extra styles to the objects with vulnerabilities

WebScarab (Windows, Linux, Mac OS X)

WebScarab is actually a proxy to sniff the HTTP(s) traffic and manipulate it.

However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and more.

Acunetix Free Version (Windows)

This is the free and limited-featured version of a paid/pro product.

It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities.

And, if you are looking to improve yourself in the area of web application security and need to play with an application legally, there is DVWA (damn vulnerable web app.) which is there for just this purpose.

十个免费的web应用安全检测工具的更多相关文章

  1. 十个免费的Web压力测试工具

    两天,jnj在本站发布了<如何在低速率网络中测试 Web 应用>,那是测试网络不好的情况.而下面是十个免费的可以用来进行Web的负载/压力测试的工具,这样,你就可以知道你的服务器以及你的W ...

  2. 十个免费的 Web 压力测试工具

    本文列举了是十个免费工具,可以用来进行Web的负载/压力测试的.这样你就可以知道你的服务器以及你的WEB应用能够扛得住多少的并发量,以及网站性能. 0. Grinder –  Grinder是一个开源 ...

  3. Brackets 1.8 开源+免费的Web前端网页文本编辑工具

    Brackets 1.8 开源+免费的Web网页文本编辑工具   -------------->> ---------------------- A modern, open source ...

  4. VOOKI:一款免费的Web应用漏洞扫描工具

    Vooki是一款免费且用户界面友好的Web应用漏扫工具,它可以轻松地为你扫描任何Web应用并查找漏洞.Vooki主要包括三个部分,Web应用扫描器,Rest API扫描器以及报告.Web应用扫描器​V ...

  5. Cocos开发中性能优化工具介绍之Visual Studio内存泄漏检测工具——Visual Leak Detector

    那么在Windows下有什么好的内存泄漏检测工具呢?微软提供Visual Studio开发工具本身没有什么太好的内存泄漏检测功能,我们可以使用第三方工具Visual Leak Detector(以下简 ...

  6. 常用的商业级和免费开源Web漏洞扫描工具

    Scanv 国内著名的商业级在线漏洞扫描.可以长期关注,经常会有免费活动.SCANV具备自动探测发现无主资产.僵尸资产的功能,并对资产进行全生命周期的管理.主动进行网络主机探测.端口探测扫描,硬件特性 ...

  7. 网络设备Web登录检测工具device-phamer

    网络设备Web登录检测工具device-phamer   为了便于管理和维护,大部分网络都提供了Web管理接口.Kali Linux提供了一款专用检测工具device-phamer.该工具可以批量检测 ...

  8. web端安全测试工具

    https://www.cnblogs.com/ios9/p/7692373.html 十大web安全扫描工具 扫描程序可以在帮助造我们造就安全的Web 站点上助一臂之力,也就是说在黑客“黑”你之前, ...

  9. Metasploit是一款开源的安全漏洞检测工具,

    Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,适合于需要核实漏洞的安全专家,同时也适合于强大进攻能力的 ...

随机推荐

  1. codevs2216 行星序列

    题目描述 Description "神州"载人飞船的发射成功让小可可非常激动,他立志长大后要成为一名宇航员假期一始,他就报名参加了"小小宇航员夏令营",在这里小 ...

  2. 配置tomcat系统日志--java eclipse

    控制台那里的日志只是部分,有时候报错了我们并没有显示出来,所以需要找到系统日志... 双击tomcat v.80 Service---点击open lauch Configuration--Argum ...

  3. 移动Web之响应式布局的探讨

    响应式布局的探讨 响应式布局的两种方式 基于百分比的布局 例:Bootstrap 基于rem的布局 例:淘宝触屏版 这两种布局都需要依赖于CSS3的media query来设置布局断点(或者通过js监 ...

  4. WebService初学

    作为一个初学者,在遇到新的知识点的时候,搞清这个知识点的名称含义,是有必要的.那什么是WebService呢? 顾名思义,它是一个运行在web上的服务.这个服务通过网络为我们的程序提供服务方法.类似一 ...

  5. 在利用xampp开发时候为apache设置多个项目目录

    在做毕业设计的时候由于想将工作目录与毕业设计的目录分离,所以有此需求: 下面两种方法是google出来的,分别通过配置多ip和多端口实现,不是能否用单ip发布多个项目,如有方法请留言,学习一下 1.配 ...

  6. Maven生命周期小记

    1.Maven生命周期是为了所有的构建过程进行抽象和统一.Maven从大量的项目和构建工具中学习和反思,总结了一套高度完善.易扩展的生命周期.这个生命周期包含了项目的清理.初始化.编译.测试.打包.集 ...

  7. Google的Protobuf协议分析

    protobuf和thrift类似,也是一个序列化的协议实现,简称PB(下文出现的PB代表protobuf). Github:https://github.com/google/protobuf 上图 ...

  8. css兼容性大坑

    一. \:选择IE6+//区分 IE 8(不实用) .title{ color:yellow\0; color: red\9\0;} \9在 IE 6及其以上都可以识别(但是 IE11不识别 ,IE ...

  9. 安卓ApiDemos最简单的使用方法

    http://download.csdn.net/detail/ffwmxr/7401067#comment 正确使用方法:开新工程, 名字API Demos,将下载文件里的 src,res, And ...

  10. github with msysgit:配置SSH Key

    Step 1: Check for SSH keys First, we need to check for existing ssh keys on your computer. Open up G ...