Best IT Recipes

Permeability Testing Tools

We have hundreds of sites that were developed in asp, .net and java, and we spend a lot of money for an external agency to test penetration of our sites to check for security loopholes. Is there any (good) software (paid or free) for this?

or .. are there any technical articles that can help me develop this tool?

+43
security sql sql-injection
Sep 16 '08 at 13:29
source share
13 answers

There are several different directions that you can use with automated testing tools for web applications.

First, there are commercial web scanners , among which the most popular are HP WebInspect and Rational AppScan. These are all-in-one, fire and swelling tools that you download and install on your Windows internal desktop, and then specify the URL for your site's spider, scanning for known vulnerabilities (i.e., Things that hit at Bugtraq) and investigated cross-site scripting and SQL injection vulnerabilities.

Secondly, source code scanning tools exist, of which Coverity and Fortify are probably the two best known. These are the tools that you install on the developer's desktop to process your Java or C # source code and look for known patterns of unsafe code, such as poor input validation.

Finally, there are tools for penetration testing . The most popular application penetration testing tool among security professionals is the Burp Suite, which you can find at http://www.portswigger.net/proxy . Others include Spike Proxy and OWASP WebScarab. Again, you install it on your Windows internal desktop. It will act as an HTTP proxy, and you point your browser to it. You will use your applications as a regular user, while he logs your actions. You can then go back to each individual page or HTTP action and examine it for security issues.

In a complex environment, and especially if you are considering DIY , I highly recommend penetration testing tools . That's why:

Commercial web crawlers provide many latitudes, as well as excellent reporting. However:

  • They tend to skip things because every application is different.

  • They are expensive (WebInspect starts at 10,000).

  • You pay for things you don’t need (for example, databases of known bad CGIs from the 90s).

  • They are hard to set up.

  • They can create noisy results.

Source code scanners are more thorough than web scanners. However:

  • They are even more expensive than web crawlers.

  • They need the source code.

  • To be effective, they often require you to annotate the source code (for example, to select input paths).

  • They have a tendency to create false positives.

Both commercial and source code scanners have a bad habit of becoming shelves. Worse, even if they work, their cost is comparable to getting 1 or 2 whole applications verified by a consultant; if you trust your consultants, you are guaranteed to get better results from them than from tools.

Penetration testing tools also have disadvantages:

  • They are much more difficult to use than commercial scanners with automatic shutdown and forget.

  • They imply some experience in web application vulnerabilities - you should know what you are looking for.

  • They do not produce little or no formal reporting.

On the other hand:

  • They are much, much cheaper --- the best of the many, Burp Suite, costs only 99EU and has a free version.

  • They are easy to configure and add to the testing workflow.

  • They help you much better “know” your applications from the inside.

Here you can do something with the pen test tool for a basic web application:

  • Log in to the application through a proxy

  • Create a hit list of the main functional areas of the application and execute each time.

  • Use the spider tool in your pen test application to find all the pages and actions and handlers in the application.

  • For each dynamic page and each HTML form that the spider opens, use the "fuzzer" tool (Burp calls it the "intruder") to use each parameter with invalid inputs. Most fuzzers come with basic test lines, which include:

    • SQL metacharacters

    • HTML / Javascript Expressions and Metacharacters

    • Their internationalized options for evading input filters

    • Known default form field names and values

    • Known directory names, file names, and handler verbs

  • Spend several hours filtering your errors (a typical fuzz run for one form can generate 1000 of them) looking for suspicious answers.

This is a time consuming, “bare” approach. But when your company owns real applications, the “pure metal” principle pays off because you can use it to create sets of regression tests that will work like clocks in each dev graph for each application. This is a gain for a number of reasons:

  • Security testing will require a predictable amount of time and resources for each application, which allows you to plan and sort.

  • Your team will get the most accurate and complete results, as your testing will be tuned to your applications.

  • It will cost less than commercial scanners and fewer consultants.

Of course, if you go this route, you basically turn into a security consultant for your company. I do not think this is bad. if you do not want this experience, WebInspect or Fortify will not help you in any way.

+64
Sep 16 '08 at 16:56
source share

I know that you specifically asked a question about the tools for penteting, but since they have been answered enough (usually I use a combination of AppScan and a trained pentter), I think it’s important to note that pentesting is not the only way to "check" for a security loophole " , and often not the most effective .

Source code analysis tools can provide you with much better visibility in your code base and find many drawbacks that pentesting will not.

These include Fortify and OunceLabs (expensive for many languages), VisualStudio.NET CodeAnalysis (for .NET and C ++, free with VSTS, decent but not big), OWASP LAPSE for Java (free, decent, not big) , CheckMarx (not a cheap, fanTASTic tool for .NET and Java, but high overhead) and many others.

An important point that you should note - (most) automated tools do not detect all vulnerabilities, do not even close them. You can expect automated tools to find about 35-40% of the infections that can be found in a professional pentester; the same goes for automatically and manually viewing the source code.

And, of course, the right SDLC (security life cycle), including threat modeling, design review, etc., will help even more ...

+4
Sep 16 '08 at 17:13
source share

You may consider chorizo

+2
Sep 16 '08 at 13:31
source share

McAfee Secure is not a solution. The service they provide is a joke.

See below:

http://blogs.zdnet.com/security/?p=1092&tag=rbxccnbzd1
http://blogs.zdnet.com/security/?p=1068&tag=rbxccnbzd1
http://blogs.zdnet.com/security/?p=1114&tag=rbxccnbzd1

+2
Sep 17 '08 at 11:40
source share

I heard good things about SpiDynamics WebInspect for paid solutions, as well as Nikto (for a free solution) and other open source tools. Nessus is a great infrastructure tool if you need to test this layer. You can pick up a live CD with several tools on it called Nubuntu (Auditor, Helix or any other security-based distribution service), and then Google - some tutorials for a specific tool. However, always check them on the local network. You run the risk of being blocked by a data center if you scan a box from a WAN without permission. The lesson learned the hard way .;)

+1
Sep 16 '08 at 13:41
source share

Skipfish, w3af, arachni, ratproxy, ZAP, WebScarab: all free and very good IMO

+1
May 04 '11 at 8:46
source share

http://www.nessus.org/nessus/ - Nessus will help suggest ways to improve your servers. He cannot really test his own applications on his own, although I think that plugins are relatively easy to create on your own.

0
Sep 16 '08 at 13:45
source share

Take a look at Rational App Scan (commonly called Watchfire). It is not free, but it has a nice user interface, it is powerful, it generates reports (on order and against standard compliance systems such as Basel2), and I believe that you can script it into the CI assembly.

0
Sep 16 '08 at 13:47
source share

What about nikto ?

0
Nov 18 '08 at 9:58
source share

For this type of testing, you really want to look at some type of fuzz tester. SPIKE Proxy is one of several fuzz testers for web applications. It is open source and written in Python. I believe there are some videos from BlackHat or DefCON on using SPIKE somewhere out there, but it's hard for me to find them.

There are several professional high-end software packages that will test web applications and much more. One of the most popular tools will be CoreImpact.

If you plan on doing your own testing using Pen Testing, I highly recommend that you read most of the OWASP Project Documentation . In particular, the OWASP Security Testing and Testing Guide. The skill required to thoroughly test your application is slightly different from your normal thinking of development (not that it MUST be different, but usually it is).

0
Oct 18 '09 at 8:47
source share

what about rat proxy ?

A semi-automatic, mostly passive network application security verification tool optimized for sensitive detection and automatic annotation, potential problems and security-related design patterns based on monitoring existing, user traffic in a complex network 2.0.

Detects and prioritizes broad classes of security issues such as dynamic cross-sectoral trust trust models, script inclusion issues, content maintenance issues, insufficient XSRF and XSS, and much more

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

0
Jan 27 '10 at 8:20
source share

I know that you specifically asked a question about the tools for penteting, but since they have been answered enough (usually I use a combination of AppScan and a trained pentter), I think it’s important to note that pentesting is not the only way to "check" for security loopholes " , and often is not the most effective.

A source code viewer can provide you with much better visibility in your code base and find many flaws that pentesting cannot do.

These include Fortify and OunceLabs (expensive for many languages), VisualStudio.NET CodeAnalysis (for .NET and C ++, free with VSTS, decent but not big), OWASP LAPSE for Java (free, decent, not big) , CheckMarx (not a cheap, fanTASTic tool for .NET and Java, but high overhead) and many others.

An important point that you should note - (most) automated tools do not detect all vulnerabilities, do not even close them. You can expect automated tools to find about 35-40% of the infections that can be found in a professional pentester; the same goes for automatically and manually viewing the source code.

And, of course, the right SDLC (security life cycle), including threat modeling, design review, etc., will help even more ...

0
Aug 13 '10 at 4:53 on
source share

formerly hackersafe McAfee Secure.

-2
Sep 16 '08 at 17:50
source share


More articles:


All Articles