Web application testing tools are a dime a dozen these days.
This post is a short list and description of the tools my colleagues and I use during our web
app testing engagements. The first two posts in the Security Tool Chest series can be found here: Part 1 - Live CDs and Part 2 - Recon Tools. There are many more tools, both freeware and
commercial, that can be used to assist in testing.
Firefox Plug-ins:
Tamper Data
– A Firefox plug-in that allows inline capture and modification of outgoing
HTTP requests. Instead of relying on Javascript to modify the DOM before a form
or query is submitted you are able to trap the request, edit it (including
adding completely new fields) and forward it to the server. This can allow a
tester to bypass all client-side filtering and verification a web application
may have.
User Agent Switcher
– A Firefox plug-in that allows a tester to quickly change the User-Agent
string submitted by the browser when a request is made. Normally this is not
terribly exciting but some websites have been coded to allow search bots access
to otherwise restricted pages. By emulating the agents used by Google, Yahoo or
MSN a tester may be able to gain access to otherwise unavailable files and
content.
RefControl
– Similar to UAS, this Firefox plug-in allows the tester to easily change the HTTP
Referrer string on a per-site basis. Some poorly written sites and applications
use the referrer field to verify the user is coming from a specific location as
the security check for allowing access to pages. Using RefControl this can
easily be spoofed and allow a tester to bypass the login page.
ChickenFoot or Greasemonkey – These two Firefox plug-ins allow the tester to customize the scripting
environment within the browser to manipulate the way pages are rendered. Both
allow custom third party scripts to be executed once a page or application is
loaded into the browser. This can allow a tester to debug or even break scripts
and the DOM for the content being displayed.
Websites:
myIPNeighbors.com – This website allows a tester to determine if other domains are being hosted
on the same IP address as their target site. It is most useful when the target
is located at a hosting provider as they tend to run numerous domains on a
single IP address.
Standalone Apps:
Nmap
– While not a web application testing tool in the traditional sense, nmap does
have a small place in the world of web app testing. It may help identify the
version of the web server running on the target system if the site has been
configured to suppress banner displays. Additionally it can usually ID the
operating system of the target which can further help identify the possible
versions of the services on the system.
Wikto and Nikto – Open source web server scanners that check for a large number of common
vulnerabilities. They include the GHDB library of attacks,
server fingerprinting, directory spidering, SSL support and detailed reporting
capabilities.
Acunetix WVS – A web application scanning software that crawls a site or app looking for
common files and vulnerabilities. There is both a free and commercial version
of the tool available. The free scanner only checks for XSS vulnerabilities
whereas the commercial version attempts to locate common config files, backup
versions of files, SQL injection, XSS and more.