Best tools to check website security

Website security is a complex beast. To do a comprehensive vulnerability assessment you need to have right software, experience, patience and sometimes luck. We will provide you some guidance on selecting the best tools to check website security.

Whenever you approach a new website or just want to test your own website, the first thing is basically to scan it using your favorite security tool(s). Of course, if you’re not familiar with the website the first thing must be simply to browse it, to get the look and feel, to analyze its structure and to gather as much data as possible.

There are bunch of security scanning tools available – ranging from very expensive to free, from full-featured to very specialized. Previous blog post provides some hints on whether an expensive security testing tool is a good idea. Here we will try to show what software we use and will provide some guidance on choosing the right tools for your job.

Here is our quick top seven list:

1) W3af

Full featured and actively used framework which could be used both for audit and exploitation. It is extremely popular, powerful, flexible and easy to use framework for finding and exploiting web application vulnerabilities. It has dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.

2) BurpSuite Pro

Burp Suite is an integrated platform for attacking web applications. It contains many tools all of them sharing the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.

It’s an indispensable tool for performing web application assessments. You can read web traffic and then manipulate it as much as you desire. There is a limited free version.

3) Websecurify

Ease to use tool that shows great potential. With websecurify you can do automatic and manual vulnerability testing.

4) ZAP

The Zed Attack Proxy (ZAP) is an OWASP project and is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

5) SkipFish

Skipfish is an active web application security reconnaissance tool. It’s an excellent tool for automated initial quick assessment of the website. Written in C it is incredibly fast and can generate/analyze thousands of requests per second.

Skipfish prepares an interactive sitemap of the targeted website by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. After that the report is prepared which is meant to serve as a foundation for professional web application security assessment.

6) Wapiti

A tool written in python that scans the web pages of the webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

7) Nikto

Nikto is a Perl script which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. From this perspective Nikto is kind of “signature based” tools. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated.

Nikto won’t find all the bugs in your web app, but it will warn you about poorly configured web servers and will reveal other interesting things to poke at.

That’s all. To test website security may look simple however it’s always wise to play with the tools for some time to get the understanding what you’re doing. So called “point-and-shoot” scanning method could definitely tell you something, but it won’t reveal all the vulnerabilities.

Web Application Scanners comparison – is more expensive always better

Tools - expensive or free?

Tools – expensive or free?

Web application security scanners can cost from a hundred to tens of thousands of dollars. And they can be free as well. There are many tools or apps that can be used in web application assessments. It could be very hard to decide which tool is the right one. Some of them are better used alongside a manual test, where others are more designed for non-security specialist IT staff as more “black box” scanning tools. On top of that there are scripts and point-and-click tools that can be used to assess specific areas of web application security.

So when considering specific scanner first of all you should answer such questions as:

  • Do I need comprehensive scanner for testing whole web application or just a scanner that is good at some specific area? This relates to other question: many scanners vs one.
  • Am I going to play with setup, parameters, request manipulation or do I need a simple so called point-and-click tool?
  • Will I use this scanner for actually exploiting web application?
  • What kind of reporting I want?
  • And finally: am I going to pay for it?

The best way to choose appropriate scanner is to play with it. Then you see if it fits your needs or not. After testing multiple scanners, tools, scripts you’ll get experience and intuitively see what is good and what is not, what suits for one situation and what for another, etc.

Scanners comparison charts could also serve as a good point of reference. Tools are benchmarked on how they are able to detect (in some cases – and exploit) security vulnerabilities. Usually scanners are compared on certain points:

  1. How much vulnerabilities they managed to detect on specially crafted web application?
  2. How much manual input was required?
  3. False positive rate (scanner indicates a vulnerability when actually it doesn’t exit)
  4. False negative rate (missed vulnerabilities) – inversely proportional to first point.
  5. How much time it took to scan an application?

By looking at some comparison charts it’s clear that the most expensive scanners are not necessary the best in all situations. As a rule of thumb, expensive scanners have many features, full scan coverage (in terms of types of vulnerabilities, scanning methods, etc.), nice looking user interface and great reports.

Free open-source web application scanners, on the other hand, usually are harder to configure, have poorer GUI and miss good reporting capabilities. However, their vulnerability detection rate could be the same or even better than their commercial counterparts.

Shay Chen has a great blog post where he compares 60 (!) commercial and open-source black box web application vulnerability scanners.

Looking at the comparison charts we can see that open source tools presented very good results. Indeed, some of them are at the top in the charts. As Mr. Chen concludes, “the distance between open source tools and commercial tools is not as big as it used to be”.

However, it was also mentioned that open source tools tend to have more false positives and be relatively unstable when compared to most commercial tools. Besides, open source tools are usually more difficult to install and use, and still require fine-tuning in various fields.

So if your background is rather technical, you can safely use open source tools with great success. However, if you don’t have much technical experience and don’t want to learn all the bits and pieces and prefer decent usage experience – stay on the safer side and use commercial products (some have free limited versions).

The good news is that if you have limited budged and still want to do vulnerability assessments or pen-testing, you won’t be left alone. There is a wide variety of open-source tools that are not worse than their commercial alternatives – all you need is to put some more work into it.  We’ll present some How-To’s and recommendations regarding specific tools in future articles.

For better results it’s common to combine various tools – from both commercial and open-source sides. One tool might be easier to use, another one might be more accurate, third one – faster. Mix everything and see what works and what not.

Good look!