Day after day websites are getting more and more complexed. Today static websites are not as popular as they were previously. The simplest produced website contains at least a contact form, newsletter form and some other features. Mostly all websites are built using the CMS or any other third-party application, plugin or service.
Even though when a website is hand-coded, you can trust what you’ve created, though it is possible that a special character is not sanitized or you are not aware of new attacking techniques. That is why it’s not right to say that your website is completely safe without providing any tests considering its vulnerability.
We have good news for you there are numerous trustworthy applications that will help you test your website security, and check if there are any holes in your website. Feel free to use one (or several) of these apps for your website’s sake.
***
Netsparker is a free application which comes with a bunch of useful for your website security features. The application can detect SQL Injection + cross-site scripting issues. When the scan is complete Netsparker displays the solutions besides the issues and enables you to see the browser view and an HTTP request/response.
***
Websecurify (Windows, Linux, Mac OS X)
Websecurify is an open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies. It can create simple reports that can be exported into multiple formats. Websecurify is a multilingual tool and can be extensible with the add-on support.
***
Wapiti for Windows, Linux and Mac OS X
Wapiti is an open source and web-based tool that scans web pages of the deployed web applications and looks for scripts and forms where it can inject data. It is built with Python and can detect following errors:
- file handling errors;
- database, XSS, LDAP and CRLF injections;
- command execution detection.
***
The free edition performs restricted and powerful set of web security assessment checks compared to the paid versions of the application. It can check up to 100 web pages at once including web server and cross-site scripting checks.
***
Skipfish is a fully automated and active web application security reconnaissance tool. It is lightweight and pretty fast (can perform 2000 requests/second). The application has automatic learning capabilities, on-the-fly wordlist creation and form auto completion. Skipfish comes with low false positive, differential security checks which are capable to spot a range of subtle flaws, including blind injection vectors.
***
Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications. It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.
***
Watcher
Watcher is a plugin for Fiddler, HTTP debugging proxy, it works as a passive-analysis tool for HTTP-based web applications. Watcher runs silently in the background and interacts with web-application to apply 30+ tests (where new ones can be added) while you browse. It identifies issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.
***
x5s
x5s is one more plugin for Fiddler which is designed to find encoding and character transformation issues that can lead to XSS vulnerability. It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.
***
Exploit-Me
Rather than using a proxy like most of the security testing tools, Exploit-Me directly integrates into Firefox.
It is a set of 3 add-ons:
- XSS-Me: for testing reflected XSS vulnerabilities;
- SQL Inject Me: for testing SQL injection vulnerabilities;
- Access-Me: for testing access vulnerabilities.
They are all lightweight, work while you browse websites and simply inform you by adding extra styles to the objects with vulnerabilities.
***
WebScarab is a proxy to sniff the HTTP(s) traffic and manipulate it. However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and even more.
***
This is the free and limited-featured version of a paid/pro product. It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities.
***
After using these tools do not forget to share your opinion considering their usability and functionality, either share some other tools you may find more useful.