chaoticsoul

As computer security guys, living in a web-world, we always talk about the fact that no matter how secure the overall system might be, one weak spot is all that is needed most of the time.  And this is more-so true on a web server then anywhere else, because it generally contains the most things that get overlooked, especially on a corporate level. You may have the best detection software, but if you have a web server, especially if it is not properly placed into what is commonly (and wrongly, mind you) called DMZ, well disaster is just waiting to happen.  And you really don’t even have to host your own server, as our web world becomes more and more advanced, more and more information, sometimes very otherwise secretive information, finds its way to web servers, it just becomes more and more of a liability to loose control over that data.  Even if there is no personal  information on your website, or corporate website, it does not mean that there is no value to it, a broken website is one that does not attract any new customers, or people, thus, it is always a good reason to protect it, or at least know your exposure…

So, i have discussed vulnerabilities in posts about Cross Site Scripting and  Script Fragmentation, now lets talk about some automated tools for auditing your web infrastructure. There are a few tools available for web application auditing, i will mention a few: w3af, WebScarab, some Firefox plug-ins, ratproxy,

w3af – http://w3af.sourceforge.net/

its a web application vulnerability testing framework, think of it as metasploit for a website

Firefox Plug-Ins:

Web developer – it is useful for removing form restrictions, to be able to enter in strings longer then maximum strings allowed by the form, etc

Hackbar – useful for decoding url and obfuscating sql injection and css information to pass it by some filters

FoxyProxy – quick proxy switcher, sometimes helpful when using tools that work as proxies

TamperData – allows one to intercept requests and responses as well as on demand change them

WebScarab -http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Another web application analisys softare, includes a lot of neat tricks, read the docu

Ratproxy – http://code.google.com/p/ratproxy/

Passsive (mostly) web app possible vulnerabilities scanner

Sleuth – http://sandsprite.com/Sleuth/index.html

Manual web application testing tool

Paros – http://www.parosproxy.org/index.shtml

Last but not least, this is another proxy-based tool, very interesting tool, scans for a very wide variety of vulenrabilities, lots of fun

These are in no particular order, they are all great in many ways, each in their own.  Before using any of the tools, make sure you RTFM, some tools can really break stuff, so be careful, audit your website, and above all, dont disregard web app security!

–Niksoft–