Penetration testing tools [closed]

There are a couple different directions you can go with automated testing tools for web applications.

First, there are the commercial web scanners, of which HP WebInspect and Rational AppScan are the two most popular. These are “all-in-one”, “fire-and-forget” tools that you download and install on an internal Windows desktop and then give a URL to spider your site, scan for well-known vulnerabilities (ie, the things that have hit Bugtraq), and probe for cross-site scripting and SQL injection vulnerabilities.

Second, there are the source-code scanning tools, of which Coverity and Fortify are probably the two best known. These are tools you install on a developer’s desktop to process your Java or C# source code and look for well-known patterns of insecure code, like poor input validation.

Finally, there are the penetration test tools. By far the most popular web app penetration testing tool among security professionals is Burp Suite, which you can find at Others include Spike Proxy and OWASP WebScarab. Again, you’ll install this on an internal Windows desktop. It will run as an HTTP proxy, and you’ll point your browser at it. You’ll use your applications as a normal user would, while it records your actions. You can then go back to each individual page or HTTP action and probe it for security problems.

In a complex environment, and especially if you’re considering anything DIY, I strongly recommend the penetration testing tools. Here’s why:

Commercial web scanners provide a lot of “breadth”, along with excellent reporting. However:

  • They tend to miss things, because every application is different.

  • They’re expensive (WebInspect starts in the 10’s of thousands).

  • You’re paying for stuff you don’t need (like databases of known bad CGIs from the ’90s).

  • They’re hard to customize.

  • They can produce noisy results.

Source code scanners are more thorough than web scanners. However:

  • They’re even more expensive than the web scanners.

  • They require source code to operate.

  • To be effective, they often require you to annotate your source code (for instance, to pick out input pathways).

  • They have a tendency to produce false positives.

Both commercial scanners and source code scanners have a bad habit of becoming shelfware. Worse, even if they work, their cost is comparable to getting 1 or 2 entire applications audited by a consultancy; if you trust your consultants, you’re guaranteed to get better results from them than from the tools.

Penetration testing tools have downsides too:

  • They’re much harder to use than fire-and-forget commercial scanners.

  • They assume some expertise in web application vulnerabilities — you have to know what you’re looking for.

  • They produce little or no formal reporting.

On the other hand:

  • They’re much, much cheaper — the best of the lot, Burp Suite, costs only 99EU, and has a free version.

  • They’re easy to customize and add to a testing workflow.

  • They’re much better at helping you “get to know” your applications from the inside.

Here’s something you’d do with a pen-test tool for a basic web application:

  1. Log into the application through the proxy

  2. Create a “hit list” of the major functional areas of the application, and exercise each once.

  3. Use the “spider” tool in your pen-test application to find all the pages and actions and handlers in the application.

  4. For each dynamic page and each HTML form the spider uncovers, use the “fuzzer” tool (Burp calls it an “intruder”) to exercise every parameter with invalid inputs. Most fuzzers come with basic test strings that include:

    • SQL metacharacters

    • HTML/Javascript escapes and metacharacters

    • Internationalized variants of these to evade input filters

    • Well-known default form field names and values

    • Well-known directory names, file names, and handler verbs

  5. Spend several hours filtering the resulting errors (a typical fuzz run for one form might generate 1000 of them) looking for suspicious responses.

This is a labor-intensive, “bare-metal” approach. But when your company owns the actual applications, the bare-metal approach pays off, because you can use it to build regression test suites that will run like clockwork at each dev cycle for each app. This is a win for a bunch of reasons:

  • Your security testing will take a predictable amount of time and resources per application, which allows you to budget and triage.

  • Your team will get maximally accurate and thorough results, since your testing is going to be tuned to your applications.

  • It’s going to cost less than commercial scanners and less than consultants.

Of course, if you go this route, you’re basically turning yourself into a security consultant for your company. I don’t think that’s a bad thing; if you don’t want that expertise, WebInspect or Fortify isn’t going to help you much anyways.

Leave a Comment