Penetration Testing Tools

Penetration testing tools

There are a couple different directions you can go with automated testing tools for web applications.

First, there are the commercial web scanners, of which HP WebInspect and Rational AppScan are the two most popular. These are "all-in-one", "fire-and-forget" tools that you download and install on an internal Windows desktop and then give a URL to spider your site, scan for well-known vulnerabilities (ie, the things that have hit Bugtraq), and probe for cross-site scripting and SQL injection vulnerabilities.

Second, there are the source-code scanning tools, of which Coverity and Fortify are probably the two best known. These are tools you install on a developer's desktop to process your Java or C# source code and look for well-known patterns of insecure code, like poor input validation.

Finally, there are the penetration test tools. By far the most popular web app penetration testing tool among security professionals is Burp Suite, which you can find at http://www.portswigger.net/proxy. Others include Spike Proxy and OWASP WebScarab. Again, you'll install this on an internal Windows desktop. It will run as an HTTP proxy, and you'll point your browser at it. You'll use your applications as a normal user would, while it records your actions. You can then go back to each individual page or HTTP action and probe it for security problems.

In a complex environment, and especially if you're considering anything DIY, I strongly recommend the penetration testing tools. Here's why:

Commercial web scanners provide a lot of "breadth", along with excellent reporting. However:

They tend to miss things, because every application is different.
They're expensive (WebInspect starts in the 10's of thousands).
You're paying for stuff you don't need (like databases of known bad CGIs from the '90s).
They're hard to customize.
They can produce noisy results.

Source code scanners are more thorough than web scanners. However:

They're even more expensive than the web scanners.
They require source code to operate.
To be effective, they often require you to annotate your source code (for instance, to pick out input pathways).
They have a tendency to produce false positives.

Both commercial scanners and source code scanners have a bad habit of becoming shelfware. Worse, even if they work, their cost is comparable to getting 1 or 2 entire applications audited by a consultancy; if you trust your consultants, you're guaranteed to get better results from them than from the tools.

Penetration testing tools have downsides too:

They're much harder to use than fire-and-forget commercial scanners.
They assume some expertise in web application vulnerabilities --- you have to know what you're looking for.
They produce little or no formal reporting.

On the other hand:

They're much, much cheaper --- the best of the lot, Burp Suite, costs only 99EU, and has a free version.
They're easy to customize and add to a testing workflow.
They're much better at helping you "get to know" your applications from the inside.

Here's something you'd do with a pen-test tool for a basic web application:

Log into the application through the proxy
Create a "hit list" of the major functional areas of the application, and exercise each once.
Use the "spider" tool in your pen-test application to find all the pages and actions and handlers in the application.
For each dynamic page and each HTML form the spider uncovers, use the "fuzzer" tool (Burp calls it an "intruder") to exercise every parameter with invalid inputs. Most fuzzers come with basic test strings that include:
- SQL metacharacters
- HTML/Javascript escapes and metacharacters
- Internationalized variants of these to evade input filters
- Well-known default form field names and values
- Well-known directory names, file names, and handler verbs
Spend several hours filtering the resulting errors (a typical fuzz run for one form might generate 1000 of them) looking for suspicious responses.

This is a labor-intensive, "bare-metal" approach. But when your company owns the actual applications, the bare-metal approach pays off, because you can use it to build regression test suites that will run like clockwork at each dev cycle for each app. This is a win for a bunch of reasons:

Your security testing will take a predictable amount of time and resources per application, which allows you to budget and triage.
Your team will get maximally accurate and thorough results, since your testing is going to be tuned to your applications.
It's going to cost less than commercial scanners and less than consultants.

Of course, if you go this route, you're basically turning yourself into a security consultant for your company. I don't think that's a bad thing; if you don't want that expertise, WebInspect or Fortify isn't going to help you much anyways.

Penetration testing for PHP security vulnerabilities

It all boils down to what you want; you may use Burp Suite which is a great manual pentesting tool with a nice community and resource online that allows you to perform pen tests efficiently.

You might want to try automatic web application scanners such as Acunetix Web Vulnerability Scanner which also comes with manual pentesting tools and automatic crawling and scanning of a site (which is great IMO). They also offer free 14 day trials which should be more than enough for your purpose.

I always believe pentesting should start off with automated software tools as mentioned above and reinforced with manual intervention to make sure you tested the application effectively.

There's no right or wrong way to do it, however the above method is what many opt for. You might also want to read the Hacker's Handbook by Dafydd Stuttard and Marcus Pinto. This gives a great overview on web applications, how to penetrate them and how to safeguard them.

You can make use of utility tools such as Nmap and OpenSSL to confirm or attempt to discover vulnerabilities within an application.

What is the best tool for pen testing android app

First learn about adb commands for connect the device to your PC. So that you can launch app in your device. Yes you can use Kali linux.

Then go for these tools,

BurpSuite Pro (for proxy intercept , etc)
Drozer
dex2jar
AppWatch by Attify.com
AndroBugs
MobSF
JD-Gui (for analyzing source code)
apktool

Each tool has its own specialty.

These are the latest tools you can use for android penetration testing

Preparing an ASP.Net website for penetration testing

I think that the check list changes by the time and its theory with experience together. I always check my log files and see new ways that they try to penetrate my site - like scans on "non existing" files, or try to run random queries.

A good page that have many articles on penetration:
http://www.cgisecurity.com/pentest.html

Some of the ways that try to penetrate on my sites.

Most common

sql injections, so I check and block users that call my sites with the "select" command on the url line. I check also for other sql commands.
Forgoten javascript filebrowser I see that lately they search for links like : wwwmysite.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=

To find them I monitor the "Page not found" event. Of course if page found then they penetrate. How ever its more possible to see failed tries and see what they are looking for.

Oracle attack

These days also I see a lot of oracle attacks. I find them and block the full ip of attacker using this code: CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed

Stealing cookies

I also follow the answers from this question: Can some hacker steal the cookie from a user and login with that name on a web site?

Main points: always use ssl encryption on login cookies (requireSSL=true), and not place roles on cookies (cacheRolesInCookies=false).

Block in advanced

I also block black listed ips from inside the system/program/iis, but in the past I have used PeerGuardian. Also there you can find a lot of bad ip lists that you can block in advanced. My only note on these bad ips is that I do not block them for ever, but only for some days. The block of bad ips helps me also with the hundred of spam emails.
http://phoenixlabs.org/pg2/

Investigate the Log

I think that there are many ways that people can think and try to penetrate on your site. The point is how you can predict them and log them before that happens and make always a better mechanism to avoid them. As I say, I monitor the page not found, and the inside error that pages throws. These 2 methods show me a lot of penetration attempts.

Uploading scripts.

If you have give access to uploading files, images and other stuff make sure that they can not be run on the uploading directory. This can be done ether by double checking the extension of the file and also by disabling the running of programs and script on that directory, from the server itself, but also by placing a web.config on the upload directory with :

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Read one case:
I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

Web Pen Testing Recomendations - Tools & External Contractor Recommendations

@Jammer, I am not sure if there exists such a rating that you are looking for. My personal view would be ,make a study of your requirements-whether you are looking for a certification or a compliance or just trying to increase security. Based on these criteria,you can look at the pentesting organisations and evaluate them on your own. This link may help,

http://www.ivizsecurity.com/blog/penetration-testing/how-to-choose-penetration-testing-companies/

Anyways there is always a trade off between choosing third party vendors or owning a own security team. You can go for third party consultation then have a own in-house Security Educated QA Team.

Hope this helps.

Penetration Testing Tools