List of Security Testing Tools
Though Manual security testing is the most recommended option, for automated testing there are various tools that can be used for automating Security Testing.
IronWASP
IronWASP is one of the most trustable open source tool that can be used for automating SQL Queries. Using this tool we can identify
- SQL injections,
- Sensitive Form loaded and submitted Insecurely,
- Session FixationFound
- Password sent in URL
- Server Leaking version number
- Autocomplete Enabled in Password Fields
- Identify the server information
- Technologies identified on Server
This report gives a brief overview of the number of different findings, the numbers are categorized by the hosts they were discovered on. The index section contains the names of all the findings. The sections after that show details of every individual finding. The table below shows the number of findings discovered in each host. The findings are seperated based on their type and severity.
Legend:
| High | High Severity Vulnerability |
| Medium | Medium Severity Vulnerability |
| Low | Low Severity Vulnerability |
| Info | Information Findings |
| Test Leads | Things of interest for manual testing |
The High, Medium and Low severity vulnerability numbers are also split based on the confidence with which IronWASP has reported them. The results of IronWASP tool will contain
- Type: Vulnerability
- Severity: High, Low, Medium
- Confidence: High,Low,Medium
- Found By: Active Scanning, Passive Scanning,
- Affected Parameter: Controls Name like username, password etc.,
- Affected Section: Body
- Summary:
- Reason: False Positive Check Assistance
- Information about response from the Server:
Acunetix
Acunetix is one of the best automated third party security testing tool that can be used for testing and reporting security issues such as
- Blind SQL Injection (High)
- Directory listing (Medium)
- Internal server error (Medium)
- User credentials are sent in clear text (Medium)
- Debugging enabled (Medium)
- Version disclosure (Medium)
- Clickjacking: X-Frame-Options header missing(Medium)
- Cookie without Secure flag set (Low)
- OPTIONS method is enabled (Low)
- Slow response time (Low)
- Broken links (Informational)
- Google Hacking DataBase [GHDB] (Informational)
- Server version disclosure (Informational)
- Password type input with auto-complete enabled (Informational)
- Possible internal IP address disclosure (Informational)
- Web server default welcome page(Informational)
- OS Command Injection
- Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Improper Access Control (Authorization)
- Use of Hard-coded Credentials
- Missing Authentication for Critical Function
- Missing Encryption of Sensitive Data
- Unrestricted Upload of File with Dangerous Type
- Reliance on Untrusted Inputs in a Security Decision
- Execution with Unnecessary Privileges
- Cross-Site Request Forgery (CSRF)
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Download of Code Without Integrity Check
- Incorrect Authorization
- Inclusion of Functionality from Untrusted Control Sphere
- Incorrect Permission Assignment for Critical Resource
The testing result report has the ability to provide the results as
- Type: Vulnerability
- Threat Level: High, Low, Medium
- Found By: Active Scanning, Passive Scanning,
- Affected Parameter: Controls Name like username, password etc.,
- Affected Section: Body
- Summary:
- Reason: False Positive Check Assistance
- Information about response from the Server:
Netsparker
Netsparker is web application security scanner that can be used for automating security testing. This tool can be used for testing and reporting security issues such as
- Password Transmitted over HTTP
- Insecure Transportation Security Protocol Supported (SSLv3)
- MediumInsecure Transportation Security Protocol Supported (SSLv2)
- MediumWeak Ciphers Enabled
- Medium[Possible] Cross-site Scripting
- LowMissing X-Frame-Options Header
- LowVersion Disclosure (ASP.NET)
- LowAutocomplete Enabled
- Low[Possible] Cross-site Request Forgery in Login Form Detected
- LowInternal Server Error
- Information[Possible] Internal Path Disclosure (Windows)
- InformationForbidden Resource
- InformationDirectory Listing (IIS)
- InformationUNC Server and Share Disclosure
- InformationASP.NET Identified
- InformationOut-of-date Version (AngularJS)
- InformationOut-of-date Version (jQuery)
- InformationVersion Disclosure (IIS)
- InformationAutocomplete Enabled (Password Field)
The testing result report has the ability to provide the results as
| Severity | Impact |
|---|---|
| Critical | An attacker could access and control logged in user or administrator accounts This would enable them to take any action that those users can take and to steal their information. For example, an administrator might have complete access to the database and the ability to change the website. |
| Important | An attacker could access user information sent over public Wi-Fi This might include passwords, usernames, and the content of web pages viewed. |
| Important | An attacker could view information about your system that helps them find or exploit vulnerabilities This may enable them to take control of your website and access sensitive user and administrator information. |
| Important | The software that powers your website is out of date - your version is known to contain vulnerabilities |
| Medium | An attacker could access information that helps them to exploit other vulnerabilities This information gives them a better understanding of your system. |
| Low | People using a web browser after one of your users could see sensitive information that has been entered into your site For example, username, password, credit card details. This is possible because browser autocomplete is not disabled. |
- And HIPPA Compliance Report like
- Cross-site Scripting
- Version Disclosure about Technology used
- Cross-site Request Forgery in Forms
- Version Disclosure for webserver
- Internal Path Disclosure