Are there any tool you recommend for security testing of web applications?
您是否建议使用任何工具来进行Web应用程序的安全性测试?
I have used WebScarab from OWASP, but find it a bit difficult and unwieldy to use.
我使用过OWASP的WebScarab,但发现它使用起来有点困难和笨拙。
Is there anything else better you would suggest using?
你还建议使用其他更好的东西吗?
8 个解决方案
#1
4
Instead of WebScarab, try Fiddler proxy (http://www.fiddlertool.com). A lot more comfortable.
而不是WebScarab,尝试Fiddler代理(http://www.fiddlertool.com)。更舒服。
Other than that, "security testing" is a very wide term.
At the very least, you have:
除此之外,“安全测试”是一个非常广泛的术语。至少,你有:
- Penetration testing - I use Appscan, many others.
- Source Code Review / Static Analysis - Fortify is considered one of the best, I fell in love with Checkmarx (but it requires a security guy)... More information on your specific technology/language would help give you more targeted answers.
- There are other types of "security testing", but I'm not familiar with other automatic tools for those types.
- Pursuant to the last point, and more advanced testing of the first two types (PT/CR), manual testing by an expert is really the best (if not the most cost-effective).
渗透测试 - 我使用Appscan,其他许多人。
源代码审查/静态分析 - Fortify被认为是最好的之一,我爱上了Checkmarx(但它需要一个安全人员)...有关您的特定技术/语言的更多信息将有助于为您提供更有针对性的答案。
还有其他类型的“安全测试”,但我不熟悉这些类型的其他自动工具。
根据最后一点,以及前两种类型(PT / CR)的更先进的测试,专家的手动测试确实是最好的(如果不是最具成本效益的)。
#4
1
I work for a company that does web app penetration testing as part of it's business. We use many different tools. Some are one off tools in Ruby for specific projects, or in house developed frameworks or proxies (again Ruby). Most of our web app penetration testing is done using webscarab, burpsuite or paros proxy. They all have some sort of logging functionality, a decent amount of power and a drawback or two.
我在一家公司工作,进行网络应用程序渗透测试,作为其业务的一部分。我们使用许多不同的工具。有些是用于特定项目的Ruby中的一种工具,或者是内部开发的框架或代理(再次是Ruby)。我们的大多数网络应用程序渗透测试都是使用webscarab,burpsuite或paros代理完成的。它们都具有某种记录功能,相当大的功率和一两个缺点。
I've actually found webscarab to be the easiest to use. But, it doesn't handle VIEWSTATE or do much for searching. We've actually found data in VIEWSTATE that shouldn't be there, so whenever we see them we tend to switch to a different proxy. Burpsuite is my next choice. It does handle VIEWSTATE but the interface takes a lot of getting used to and its output while technically more complete - it keeps the original and modified requests/responses - is harder to use.
我实际上发现webscarab是最容易使用的。但是,它不处理VIEWSTATE或为搜索做很多事情。我们实际上在VIEWSTATE中找到了不应该存在的数据,因此每当我们看到它们时,我们倾向于切换到不同的代理。 Burpsuite是我的下一个选择。它确实处理VIEWSTATE但是接口需要大量的习惯和输出,而技术上更完整 - 它保留原始和修改的请求/响应 - 更难使用。
Unfortunately, the answer to you question is slightly more complicated than just a good proxy. There is more to it than just picking up a proxy or a scanner and letting them run. A person has to verify anything the tool finds and there are somethings nothing short of a person will find.
不幸的是,你的问题的答案比一个好的代理稍微复杂一点。除了拿起代理或扫描仪并让它们运行之外,还有更多功能。一个人必须验证工具找到的任何东西,并且有些东西没有人能找到。
tqbf has a good explanation of this here.
tqbf在这里有一个很好的解释。
#5
1
I use Nikto.
我用Nikto。
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).
Nikto是一个开源(GPL)Web服务器扫描程序,它针对多个项目对Web服务器执行全面测试,包括超过3500个潜在危险文件/ CGI,超过900个服务器上的版本以及超过250个服务器上的版本特定问题。扫描项目和插件经常更新,可以自动更新(如果需要)。 Nikto并不是一个过于隐蔽的工具。它将在尽可能短的时间内测试Web服务器,并且在日志文件中相当明显。但是,如果您想尝试(或测试您的IDS系统),可以支持LibWhisker的反IDS方法。
This list could also help: Top 10 Web Vulnerability Scanners
此列表也可以提供帮助:十大Web漏洞扫描程序
#6
1
These are all for pen testing web apps
这些都是笔测试Web应用程序
- curl - commandline tool to explore
- nikto/wikto - scanner for vulns
- w3af - Have heard great things haven't tried it much
- sqlmap - automated sql injection
- WebDeveloper and firebug - firefox extensions
- Twill and Selenium with your own test cases http://ha.ckers.org/xss.html
curl - 探索的命令行工具
nikto / wikto - 用于扫描的扫描仪
w3af - 听说伟大的事情没有尝试过
sqlmap - 自动sql注入
WebDeveloper和firebug - firefox扩展
Twill和Selenium以及您自己的测试用例http://ha.ckers.org/xss.html
#7
0
I'd suggest using manual inspection with simple string search tools like findstr. Here is a great resource of manual security inspection for asp.net: http://msdn.microsoft.com/en-us/library/ms998364.aspx Or you can jump straight to the security questions that guide your way to finding security vulnerabilities: http://msdn.microsoft.com/en-us/library/ms998375.aspx I've got a summary of string search techniques here: http://blogs.msdn.com/ace_team/archive/2008/07/24/security-code-review-string-search-patterns-for-finding-vulnerabilities-in-asp-net-web-application.aspx
我建议使用像findstr这样的简单字符串搜索工具进行手动检查。这是asp.net的手动安全检查的一个很好的资源:http://msdn.microsoft.com/en-us/library/ms998364.aspx或者你可以直接跳到指导你找到安全漏洞的方法的安全问题:http://msdn.microsoft.com/en-us/library/ms998375.aspx我在这里得到了字符串搜索技术的摘要:http://blogs.msdn.com/ace_team/archive/2008/07/ 24 /安全码 - 审查 - 字符串搜索模式,为调查的漏洞,在-ASP净网页application.aspx
#8
0
You can use Paros or Netsparker for Security testing. The following URL can help to find some Security testing tools:
您可以使用Paros或Netsparker进行安全测试。以下URL可帮助您找到一些安全测试工具:
http://www.webresourcesdepot.com/10-free-web-application-security-testing-tools/
#1
4
Instead of WebScarab, try Fiddler proxy (http://www.fiddlertool.com). A lot more comfortable.
而不是WebScarab,尝试Fiddler代理(http://www.fiddlertool.com)。更舒服。
Other than that, "security testing" is a very wide term.
At the very least, you have:
除此之外,“安全测试”是一个非常广泛的术语。至少,你有:
- Penetration testing - I use Appscan, many others.
- Source Code Review / Static Analysis - Fortify is considered one of the best, I fell in love with Checkmarx (but it requires a security guy)... More information on your specific technology/language would help give you more targeted answers.
- There are other types of "security testing", but I'm not familiar with other automatic tools for those types.
- Pursuant to the last point, and more advanced testing of the first two types (PT/CR), manual testing by an expert is really the best (if not the most cost-effective).
渗透测试 - 我使用Appscan,其他许多人。
源代码审查/静态分析 - Fortify被认为是最好的之一,我爱上了Checkmarx(但它需要一个安全人员)...有关您的特定技术/语言的更多信息将有助于为您提供更有针对性的答案。
还有其他类型的“安全测试”,但我不熟悉这些类型的其他自动工具。
根据最后一点,以及前两种类型(PT / CR)的更先进的测试,专家的手动测试确实是最好的(如果不是最具成本效益的)。
#2
#3
#4
1
I work for a company that does web app penetration testing as part of it's business. We use many different tools. Some are one off tools in Ruby for specific projects, or in house developed frameworks or proxies (again Ruby). Most of our web app penetration testing is done using webscarab, burpsuite or paros proxy. They all have some sort of logging functionality, a decent amount of power and a drawback or two.
我在一家公司工作,进行网络应用程序渗透测试,作为其业务的一部分。我们使用许多不同的工具。有些是用于特定项目的Ruby中的一种工具,或者是内部开发的框架或代理(再次是Ruby)。我们的大多数网络应用程序渗透测试都是使用webscarab,burpsuite或paros代理完成的。它们都具有某种记录功能,相当大的功率和一两个缺点。
I've actually found webscarab to be the easiest to use. But, it doesn't handle VIEWSTATE or do much for searching. We've actually found data in VIEWSTATE that shouldn't be there, so whenever we see them we tend to switch to a different proxy. Burpsuite is my next choice. It does handle VIEWSTATE but the interface takes a lot of getting used to and its output while technically more complete - it keeps the original and modified requests/responses - is harder to use.
我实际上发现webscarab是最容易使用的。但是,它不处理VIEWSTATE或为搜索做很多事情。我们实际上在VIEWSTATE中找到了不应该存在的数据,因此每当我们看到它们时,我们倾向于切换到不同的代理。 Burpsuite是我的下一个选择。它确实处理VIEWSTATE但是接口需要大量的习惯和输出,而技术上更完整 - 它保留原始和修改的请求/响应 - 更难使用。
Unfortunately, the answer to you question is slightly more complicated than just a good proxy. There is more to it than just picking up a proxy or a scanner and letting them run. A person has to verify anything the tool finds and there are somethings nothing short of a person will find.
不幸的是,你的问题的答案比一个好的代理稍微复杂一点。除了拿起代理或扫描仪并让它们运行之外,还有更多功能。一个人必须验证工具找到的任何东西,并且有些东西没有人能找到。
tqbf has a good explanation of this here.
tqbf在这里有一个很好的解释。
#5
1
I use Nikto.
我用Nikto。
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).
Nikto是一个开源(GPL)Web服务器扫描程序,它针对多个项目对Web服务器执行全面测试,包括超过3500个潜在危险文件/ CGI,超过900个服务器上的版本以及超过250个服务器上的版本特定问题。扫描项目和插件经常更新,可以自动更新(如果需要)。 Nikto并不是一个过于隐蔽的工具。它将在尽可能短的时间内测试Web服务器,并且在日志文件中相当明显。但是,如果您想尝试(或测试您的IDS系统),可以支持LibWhisker的反IDS方法。
This list could also help: Top 10 Web Vulnerability Scanners
此列表也可以提供帮助:十大Web漏洞扫描程序
#6
1
These are all for pen testing web apps
这些都是笔测试Web应用程序
- curl - commandline tool to explore
- nikto/wikto - scanner for vulns
- w3af - Have heard great things haven't tried it much
- sqlmap - automated sql injection
- WebDeveloper and firebug - firefox extensions
- Twill and Selenium with your own test cases http://ha.ckers.org/xss.html
curl - 探索的命令行工具
nikto / wikto - 用于扫描的扫描仪
w3af - 听说伟大的事情没有尝试过
sqlmap - 自动sql注入
WebDeveloper和firebug - firefox扩展
Twill和Selenium以及您自己的测试用例http://ha.ckers.org/xss.html
#7
0
I'd suggest using manual inspection with simple string search tools like findstr. Here is a great resource of manual security inspection for asp.net: http://msdn.microsoft.com/en-us/library/ms998364.aspx Or you can jump straight to the security questions that guide your way to finding security vulnerabilities: http://msdn.microsoft.com/en-us/library/ms998375.aspx I've got a summary of string search techniques here: http://blogs.msdn.com/ace_team/archive/2008/07/24/security-code-review-string-search-patterns-for-finding-vulnerabilities-in-asp-net-web-application.aspx
我建议使用像findstr这样的简单字符串搜索工具进行手动检查。这是asp.net的手动安全检查的一个很好的资源:http://msdn.microsoft.com/en-us/library/ms998364.aspx或者你可以直接跳到指导你找到安全漏洞的方法的安全问题:http://msdn.microsoft.com/en-us/library/ms998375.aspx我在这里得到了字符串搜索技术的摘要:http://blogs.msdn.com/ace_team/archive/2008/07/ 24 /安全码 - 审查 - 字符串搜索模式,为调查的漏洞,在-ASP净网页application.aspx
#8
0
You can use Paros or Netsparker for Security testing. The following URL can help to find some Security testing tools:
您可以使用Paros或Netsparker进行安全测试。以下URL可帮助您找到一些安全测试工具:
http://www.webresourcesdepot.com/10-free-web-application-security-testing-tools/