Web applications are everywhere in our Internet era. Web servers suffer the most security attacks from all applications. I believe that having a routine schedule for testing the web servers and web applications for security weaknesses is an essential step to protect the security of the whole organization.
I suggest the following Web Vulnerability scanners for Ethical Security Testing of your Web servers or web applications accordingly.
- Nikto (DOWNLOAD)
- Paros Proxy (DOWNLOAD)
- WebScarab (DOWNLOAD)
- HP WebInspect (DOWNLOAD)
- Whisker (DOWNLOAD)
Nikto is an excellent tool for web testing. It is Open Source (Free) and runs on Linux and other Unix variants. It checks your web server for over 3500 potentialy dangerous CGIs and files, versions on over 900 servers, and version specific problems on over 250 servers. There is an automatic update feature on the tool which downloads the latest plugins. Latest version at the time of writing is 2.03. Works also in windows as Wikto.
Because Paros is Java based, it can work in cross platforms and supports many operating systems. It just requires Java JRE/JDK 1.4.2 or above. It is also free. When you enable Paros or your computer, it starts a local Web Proxy server which you use to point your Browser to it. Paros proxy then intercepts all HTTP traffic communication between your browser and web server in order to edit/view HTTP messages on the fly. It includes a web spider and scanner for common web application attacks.
WebScarab is designed to be a tool for a security specialist to identify vulnerabilities in the way that the application has been designed or implemented and also allows web developers to debug http problems. In its simplest form, WebScarab works as an intercepting proxy (similar with Paros) allowing the user to modify and edit web requests and messages between a web browser and server.
Formerly a tool from SPI Dynamics, now acquired by HP. It is a commercial and powerful tool for web application scanning. HP WebInspect performs web application security testing and assessment for today’s complex web applications, built on emerging Web 2.0 technologies. It can also check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
Another great open source and free tool for CGI vulnerability scanning.