: Tools to check for common vulnerabilities? Are there any good tools (desktop or online) which allow you to check whether your website has common vulnerabilities (e.g. SQL Injection, XSS)?
Are there any good tools (desktop or online) which allow you to check whether your website has common vulnerabilities (e.g. SQL Injection, XSS)?
More posts by @Welton855
8 Comments
Sorted by latest first Latest Oldest Best
Acunetix web vulnerabbility is really good, I have used it and really like it.
You can scan website for XSS,SQL injection,weak uploading system, and many many more.
Enjoy it.
w3af is one of the best available pieces out there for web audit, and it's also FOSS
"w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend."
make sure to give it a try
I have been doing exactly this sort of thing for a long time, and would agree that the best solution is to use experienced testers to check your security profile, however testing for these types of vulnerabilities is actually pretty easy to automate. Having managed a programme to test around 1000 web applications over a 6 month period, I can say the standout tools for me are IBM's AppScan and Burp - and for most purposes Burp is lighter, faster, more configurable, and is a whole lot cheaper!
Very easy to get Burp to check for input validation failures - and sort out your SQL injection and XSS issues. You can get exceedingly good coverage of these type of vulnerabilities.
Google's RatProxy is also a really great option for check for XSS. Since it's set up and operates as a proxy, it's easy to use, as it simply follows your browser around as you test your site normally. It records all the interactions, POSTs, GETs, etc, and can replay those interactions attempting to inject malicious content. Once it replays the requests, it will check the output for the signs of XSS. Additionally, it keeps a record of the entire HTTP lifecycle, which can be used for further debugging.
You might want to check out Google's Skipfish, its extremely comprehensive and works from dictionaries that you supply, defaults (standard/kitchen sink) are included.
Its also a little more 'gentle' than others that I've used, but I can't find something with the same features to compare results with.
Its written C, has VERY informative output and is extremely easy to use. I recommend running it from any standard *nix server, or from home if you have a fast connection. Its also got a smart request queue system with real time updates. Its actually fun to watch it work.
It reports on most vulnerabilities, plus lots of other problems that you may not be aware of. Its a little pedantic, but pedantic is a good quality for such a tool.
Screenshot of results (a little old):
alt text skipfish.googlecode.com/files/skipfish-screen.png
Microsoft has a Code Analysis Tool that does this (here is a Channel 9 video on it, and here is a download link for v1). Wikipedia also has a pretty good list of static code analysis tools.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2025 All Rights reserved.