In the second part of his blog post “Security Testing Tips From a Bug Battle Winner”, uTester Bernard Lelchuk takes a closer look at some of the more effective tools to use when performing security testing.
There are quite a few attacking testing tools which can make security testing easier and more productive for both novice and veteran testing engineers alike. I will not list all of them here, but rather cover the most essential, common and interesting FREE tools. So here they are, in no particular order:
A comprehensive yet easy-to-use protocol analyzer (sniffer) which will allow you to view, filter and analyze all network transmissions. (http://www.wireshark.org/)
Acts as a proxy which allows the tester to intercept and modify all HTTP/S data between server and client, including cookies and form fields. (http://www.parosproxy.org/index.shtml)
Burp Suite (Man-In-The-Middle)
Integrated platform for attacking web applications which contains several interfaces for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility. Acts as a man-in-the-middle between client and server, thus allowing the tester to intercept and modify all HTTP requests between both parties. (http://portswigger.net/suite/)
Framework for analyzing and modifying all HTTP/S requests and responses between the browser and the server, which uses several plugins. (http://www.owasp.org/index.php/OWASP_WebScarab_Project)
Here are a few Firefox add-ons that you may also find useful:
SQL Injection 1.2:
A component to transform check boxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes it easier to test and identify SQL injection vulnerabilities in web pages. (https://addons.mozilla.org/en-US/firefox/addon/6727)
Security Compass tools:
A set of 3 security testing attacking tools which are easy to execute at any time even with no early background in security testing. Just install and run each application on a website and review the generate report. This will give you a detailed report of all executed commands – just read and learn
Accessing vulnerabilities in an application can allow an attacker to access those same resources without being authenticated. Access-Me is a Firefox extension used to test for these types of vulnerabilities. (https://addons.mozilla.org/en-US/firefox/addon/7595)
SQL Inject me
SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities.
Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.
Security Compass’s home page:
View and modify HTTP/HTTPS headers and post parameters. It’s a similar tool to Burp suite, however, it features basic and limited data tampering capabilities directly via FF.
Selecting a security testing tool from the list above (or an additional tool) should not be an hassle, no matter what your expertise level.
- If you need to start out with monitoring traffic, then use the Wireshark tool, which I find to be the easiest and most productive tool in my daily work as a QA professional.
- For tampering data, start with either BurpSuite or the FF add-on Tamper data if you feel more comfortable testing directly in your browser.
- For injection attacks, just install the 3-pack of Security Compass and experiment with it.
As an extra, here are some nice security testing sources for you.
I’d love to receive your comments, questions or experiences you may have had with security testing.