It’s never too soon to assess the security of your application with these great penetration testing tools

Remember the Equifax breach in 2017 which affected nearly one in three Americans? Or the 2018 Marriott breach that compromised 500 million accounts in its database? It’s very hard to forget! Even if your company is not a household name, it’s imperative to be proactively protecting your applications and data before it’s too late, with losses already incurred and your company’s reputation diminished.

Software security testing is performed to ensure that software systems and applications are free from any vulnerabilities, threats, and risks that may cause these tremendous losses. Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, and reputation caused by employees or malicious external hackers. With the information provided from testing, development teams can fix any vulnerabilities before malicious hackers exploit them.

Here are some widely recommended tools for penetration testing and ethical hacking so you can get ahead of potential attackers and avoid detrimental business outcomes.

1. Acunetix 

Acunetix is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, cross site scripting and other exploitable vulnerabilities. In general, Acunetix scans any website or web application that is accessible via a web browser and uses the HTTP/HTTPS protocol.

Acunetix offers a strong and unique solution for analyzing off-the-shelf and custom web applications including those utilizing JavaScript, AJAX and Web 2.0 web applications. It has an advanced crawler that can find almost any file.

Key Features

  • Automatically test for XSS, SQLi and over 4500 exploitable vulnerabilities
  • Reduce false positives with grey-box scanning that analyzes code during execution
  • Test for over 1200 WordPress, Drupal and Joomla! specific vulnerabilities
  • Scan HTML5, JavaScript, Single Page Applications and RESTful web services
  • Vulnerability management and compliance reporting

Pricing

  • Standard: $4,495
  • Team: $6,995
  • Enterprise Plus for over 20 targets: Contact vendor

What Makes it Unique?

  • With Acunetix, it’s possible to easily find and report many types of web weaknesses such as SQL injection, blind SQL injection, cross site scripting, CRLF injection, code execution, directory traversal, file inclusion and authentication bypass.
  • Detailed penetration scenarios can be performed with Acunetix’s HTTP Editor, HTTP Sniffer, HTTP Fuzzer, WVS Scripting Tool and Blind SQL Injector tools for advanced penetration testing processes.
  • With the support of captcha, single sign on and two factor authentication, Acunetix can adapt to any kind of Web application.

2. Burp Suite

Burp Suite is an integrated platform for performing security testing for web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with automation to make your work faster, more effective, and maybe even more fun.

Key Features

  • Proxy: Lets you inspect and modify traffic between your browser and the target application. You can change form methods from GET to POST or vice-versa, unhide hidden fields, enable disabled fields, remove secure flag from cookie and more. The HTTP History tab is an index of all your requests, which lets you to plan your next actions.
  • Spider: Burp uses this tool to automate the mapping of an application.
  • Scanner: The automated Active scanner can interact with your web application and detect simple security issues like if the password is being submitted in GET method or advanced vulnerabilities like Remote Code Execution and SQL Injections. You can set the speed of scanning, pause and resume, choose scan areas and more.
  • Intruder: Meant for exploitation and automating attacks. Most of the attacks against web applications are about sending a lot of data and making sense of the responses, so Intruder is a request sender and response collector.
  • Repeater tool: You can select a request from Target or other sources and send it to Repeater to further tamper and play-around with the request by changing the data being sent, request method, cookie values and many other client side values.

Pricing

  • Community: Free*
  • Professional – $399.00/ year
  • Enterprise Edition – $3,999/ year

*For researchers and hobbyists

What Makes it Unique?

  • The decoder tool in Burp Suite does the job of encoding and decoding data. A web application penetration tester needs to be able to understand the type of encoding that has been applied and then successfully decode the piece of data.
  • Comparer tool: Useful for when you want to see how different values for parameters and headers enable subtle changes in the responses that you receive. It allows you to see how the application reacts to a valid user, invalid password combination compared to an invalid user and invalid password combination.
  • When you might be working on multiple projects for a client, the ability to Save State and Restore State come in handy.

3. NetSparker

NetSparker automatically exploits identified vulnerabilities in a read-only and safe way and also produces a proof of exploitation. Therefore, you can immediately see the impact of the vulnerability and do not have to manually verify it. In third party independent benchmark tests, the Netsparker web application security scanner identified all the direct impact vulnerabilities, thus outperforming other scanners.

Key Features

  • Check web applications for XSS, SQL injection and other exploitable vulnerabilities
  • Scan any type of web application built with PHP, .NET, JAVA or any other language
  • Scan both custom made and modern Web 2.0 and HTML5 Web applications
  • Check your web applications for coding errors that result in security vulnerabilities
  • Generate regulatory compliance and legal web application security reports

Pricing

  • Standard: $4995/yr*
  • Team: $7995/yr*
  • Enterprise: Contact vendor

*Pricing based on multi-year contracts

What Makes it Unique?

  • Netsparker has out of the box support for several popular issue tracking, CI/CD and other services used in development environments. Though if you use a system for which Netsparker does not have out of the box support you can always use the REST API.
  • It works with Proof-Based Scanning, an exclusive technology that automatically verifies identified vulnerabilities, proving they are and not false positives.

4. Nmap

Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Key Features

  • Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more.
  • Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,Amiga, and more.
  • While Nmap offers many advanced features for power users, you can start out as simply as “nmap -v -A targethost”. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who don’t  want to compile Nmap from source.

Pricing

NMap is free and open source.

What Makes it Unique?

  • In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
  • Nmap has been used to scan huge networks of hundreds of thousands of machines.
  • Significant effort has been put into comprehensive resources for it such as whitepapers, tutorials, and even a book. You can find them in multiple languages.
  • It’s well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. You can also find Nmap on Facebook and Twitter.

5. OWASP Zed Attack Proxy

The security testing tool we use the most at Abstracta, OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you develop and test your applications. It’s also a great tool for experienced penetration testers to use for manual security testing.

Key Features

  • Detect any of these threats: SQL injection, broken authentication and session management, cross-site scripting (XSS), broken access control, security misconfiguration, sensitive data exposure, cross-site request forgery (CSRF), underprotected APIs, etc.
  • Generate reports of the results
  • Passive and automated scanner

Pricing

  • Free/Open source

What Makes it Unique?

  • It’s designed to be used by both beginners and professionals
  • Cross-platform – works across all OS (Linux, Mac, Windows)
  • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

6. Sboxr

Sboxr is a tool for testing and debugging web applications, especially JavaScript heavy apps. Sboxr works by sitting in between the browser and the server and injecting it’s own JS code (called DOM sensor) that monitors the JS usage, sources, sinks, variable assignments, function calls etc. when the site is being used. It then presents, via its web console, a view of the various flows that user controlled data took in case the data ends up in an execution sink.

Key Features

  • Can be used by Dev, QA and Security teams, with a minimal learning curve
  • Detailed reporting to help in understanding, validating and remediating the identified issues
  • Automatic discovery of over 30 DOM Security issues: code execution issues, cross-site communication issues, data leakage issues, weak cryptography issues, sensitive data storage issues, malicious libraries issues, and more

Pricing

  • Sboxr with basic support: $999*
  • Sboxr with professional support: Custom pricing**

*Billed annually for 5 users, $199 for every additional user

**Billed annually

What Makes it Unique?

  • Sboxr finds issues by just browsing through your site, there’s almost no learning curve
  • The creators of Sboxr will help you in understanding, validating or remediating issues through its professional support

7. VAddy

VAddy helps developers to code securely and find vulnerabilities in new features while preventing teams from running security scans at the last minute and identify bad coding trends. It’s useful because it’s compatible with all languages, integrates easily with CI tools like Jenkins and TravisCI, and performs security checks and audits automatically on every build.

Read our post here on how to add security checks with VAddy to your CI pipeline.

Key Features

  • Run black box security tests for SQL injection and XSS, remote file inclusion, command injection, directory traversal vulnerabilities on URL path parameters, web applications, forms that use CSRF tokens, and more
  • Unlimited free scanning
  • Boasts great support for continuous integration with a Web API, Jenkins plugin, Travis and Circle CI integrations, etc
  • Its proprietary security scanning engine uses machine learning
  • You can check the requests that VAddy uses to find vulnerabilities and using this information allows you to reproduce attacks and fix your web application’s code.

Pricing

  • Free two-week trial
  • Starter plan: ~ $55/ month
  • Professional: ~ $180/ month

What Makes it Unique?

  • It’s the easiest tool to use if you want to add security checks into your CI pipeline
  • There is no tool to install or any special settings to configure

 

Have you used any of these software security testing tools in your projects? How were your experiences with them?


Recommended for You

Security Testing in Continuous Integration with VAddy
How to Choose a Software Testing Company