Hi,
Today i am going to list some free tools that will be very helpful for web application security testing and the great thing about these tools are they all are platform agnostic. This means they all will run on your system no matter what kind of operating system you use and will work with your web application no matter what web technologies your web app is build with. So let’s get set up your environment.
Installing Firefox
The Firefox web browser serves as the best web browser for with its extensible add-on architecture for security testing. Even if your application isn't specifically written for Firefox compatibility, you can use Firefox to test the behind the scenes, security-focused aspects.
Download: http://www.mozilla.com/en-US/firefox/
Installing Firefox Extensions
Firefox extensions provide a great deal of additional functionality. There are few extensions that comes as very helpful for web application testing.
View Source Chart
https://addons.mozilla.org/en-US/firefox/addon/655
Firebug
https://addons.mozilla.org/en-US/firefox/addon/1843
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/966
Edit Cookies
https://addons.mozilla.org/en-US/firefox/addon/4510
User Agent Switcher
https://addons.mozilla.org/en-US/firefox/addon/59
SwitchProxy
https://addons.mozilla.org/en-US/firefox/addon/125
Installing Firebug
Firebug is the Swiss army knife of web development and testing tools which lets you trace and tweak every line of HTML, JavaScript, and the Document Object Model (DOM). It'll report on behind the scenes AJAX requests, tell you the time it takes a page to load, and allow you to edit a web page in real time. The only thing it can't do is let you save your changes back to the server. Changes made in Firebug are not permanent. If you refresh the page, all changes will be lost. If you're executing a test that involves locally modifying HTML, JavaScript, or the DOM, be sure to copy and paste your changes into a separate file, or all evidence of your test will be lost.
Installing OWASP's WebScarab
WebScarab is a popular web proxy for testing web application security. Web proxies are vital for intercepting requests and responses between your browser and the server. i.e you can view the request and response between your browser and the application server using WebScarab proxy.
You'll need a recent version of the Java Runtime Environment to run WebScarab on your system.
To start WebScarab via the Java Web Start version
Go to http://dawes.za.net/rogan/webscarab/WebScarab.jnlp.
To obtain the standalone version, browse to the WebScarab project at SourceForge:
http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823.
The links just mentioned are both available from the WebScarab project page, in the download section:
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project.
Installing Perl and Packages on Windows
Perl is very useful for automating security test cases and to speed up testing.
Windows installation
Install Perl as part of your Cygwin environment.
Native Windows installation. Download from http://www.activestate.com/store/activeperl/download/
ActivePerl comes with a Perl Package Manager utility. Launch it from your Start menu. It provides a friendly interface for browsing, downloading, and installing packages.
Linux, Unix, or OS X installation
Perl is usually installed by default on non-windows operating systems. If you need the latest version, you can find a port appropriate for your distribution at the Comprehensive Perl Archive Network (CPAN) (http://www.cpan.org/ports/).
Using CPAN for Perl packages installation
The CPAN has modules and libraries for almost everything. No matter what your task, there's probably a CPAN module for it. You can easily install an Perl library package from CPAN. Installing the LibWWW library from Cygwin is as simple as typing:
perl -MCPAN -e 'install LWP'
Other helpful modules include HTTP::Request and Math::Base36.pm, installed as follows:
perl -MCPAN -e 'install HTTP::Request'
perl -MCPAN -e 'install Math::Base36.pm'
You may also install these modules interactively by using a shell:
perl -MCPAN -e shell
install Math::Base36
install LWP
Installing CAL9000
The CAL9000 tool wraps a number of security tools into a single package. It is a prototypical hacker tool, containing a variety of tricks, in the hope that one is enough to break through. In Firefox, navigate to http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project.
Download the latest ZIP containing CAL9000 and unzip it to the directory of your choice. Load the CAL9000.html file in Firefox to open the application.Written mostly in JavaScript, CAL9000 runs directly in Firefox. Thus it can run locally on any machine with a
browser—no proxy set up, no installation, and few access rights required. Despite the convenience, it offers a wide variety of tools, ranging from attack string generators to general helpful tips.
Installing the ViewState Decoder
Web applications written using ASP.NET include a hidden variable called the ViewState within every page. In order to add state to HTTP request, which are inherently stateless, this ViewState variable maintains data between requests.
Navigate to http://www.pluralsight.com/tools.aspx and download the ViewState Decoder zip archive. Unzip it to the directory of your choice. Double click the ViewStateDecoder.exe executable.
The ViewState is notoriously complex. Most developers err on the side of including too much information in the ViewState. Just by opening up the ViewState, you can find out if inappropriate data (such as internal records, database connection details, or debug records) is being sent to the client. That's one basic security test right there.
Installing cURL
The cURL tool is a command-line utility that supports an array of web protocols and components. It can be used as a browser-without-a-browser; it implements browser-like features, yet may be called from any ordinary shell. It handles cookies, authentication, and web protocols better than any other command-line tool.
Download : http://curl.haxx.se/download.html.
Tutorial : http://curl.haxx.se/docs/httpscripting.html.
You may also download cURL as part of your Cygwin installation.
Installing Pornzilla
Pornzilla isn't an individual tool, but rather a collection of useful Firefox bookmarklets and extensions. It provides a number of convenient tools useful for web application security testing.
Pornzilla is not installed as a cohesive whole. You may find all of the components at
http://www.squarefree.com/pornzilla/.
To install a bookmarklet, simply drag the link to your bookmark toolbar or bookmark organizer.
To install an extension, follow the links and install the extension as you would any Firefox extension.
The collection of tools really does provide a number of convenient abilities, unrelated to the intended use of the collection itself.
For example:
- RefSpoof modifies HTTP Referer information, possibly bypassing insecure login mechanisms.
- Digger is a directory traversal tool.
- Spiderzilla is a website spidering tool
- Increment and Decrement tamper with URL parameters.
Installing Cygwin (For Windows only )
Cygwin allows you to use a Linux environment within Windows. It is useful for running all the utilities and scripts built for Linux, without having requiring a full Linux installation.
Download the Cygwin installer from http://www.cygwin.com/, and execute it.
Installing Nikto 2[web vulnerability scanner]
Nikto is the most widely used of the few open source, freely available web vulnerability scanners. It comes configured to detect a variety of problems with minimal manual guidance.
Download : http://www.cirt.net/nikto2.
Documentation : http://cirt.net/nikto2-docs/index.html.
You'll need to unzip that package and run Nikto from within Cygwin or another Unix-likeenvironment.
Nikto has one external dependency, which is the LibWhisker module. You may download the latest version of
LibWhisker at http://sourceforge.net/projects/whisker/.
Once you've unzipped both files into the same directory, you may call Nikto via Perl from the command line, as in:
perl nikto.pl -h 192.168.0.1
Installing Burp Suite
The Burp Suite is a collection of web application security tools which includes components to intercept, repeat, analyze, or inject web application requests.
Download : http://portswigger.net/suite/download.html.
As a Java application, it shouldn't matter which operating system you're using, as long as you have the Java Runtime Environment installed.
The Burp Suite combines several tools:
- Burp proxy
- Intercepts requests, just like any other web proxy. It is the starting point for using the rest of Burp Suite.
- Burp spider
- Will crawl your web application, logging each page it touches. It will use supplied credentials to log in, and it will maintain cookies between connections.
- Burp sequencer
- Performs analysis on the predictability of session tokens, session identifiers, or other keys that require randomness for security.
- Burp repeater
- Allows one to tweak and resubmit a previously recorded request.
Installing Apache HTTP Server
The Apache HTTP Server is an open source web server that is currently the most popular HTTP server on the World Wide Web. You may need to set up an HTTP server to carry out some of the advanced cross-site scripting (XSS) exploits as well as to test for PHP Include file injection.
Download : http://httpd.apache.org/download.cgi.
Windows Installation
In windows you can easily install binary packages with or without crypto support (Crypto support is needed if you want to set up a web server with an SSL certificate).
Unix/Linux Installation
Download one of the source packages.
Execute following commands to compile, install, and start the Apache web server
$ ./configure --prefix=PREFIX
$ make
$ make install
$ PREFIX/bin/apachectl start
