Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Audit and Testing Tools for Web Application Security

Published on: 8/15/2014
Topic: Cyber Security Audit Tools
List of security testing tools that can be used for Auditing and Scanning of Web Site. Few of them are available as open source as part of OWASP project.

Table of Contents

HP WebInspect Features - Web Application Scanner

HP WebInspect is a security testing tool for web applications. This is part of HP Application Security Center product suite.

HP WebInspect includes checks for following vulnerabilities:
Data injection and manipulation attacks
• Reflected cross-site scripting (XSS)
• Persistent XSS
• DOM-based XSS
• Cross-site request forgery
• SQL injection
• Blind SQL injection
• Buffer overflows
• Integer overflows
• Log injection
• Remote File Include (RFI) injection
• Server Side Include (SSI) injection
• Operating system command injection
• Local File Include (LFI)
• Parameter Redirection
• Auditing of Redirect Chains

Sessions and authentication
• Session strength
• Authentication attacks
• Insufficient authentication
• Insufficient session expiration

• Ajax auditing
• Flash Analysis
• HTTP Header Auditing
• Detection of Client-side Technologies
• Secure Sockets Layer (SSL) certificate issues
• SSL protocols supported
• SSL ciphers supported
• Server misconfiguration
• Directory indexing and enumeration
• Denial of service
• HTTP response splitting
• DOS device handle DoS
• Canonicalization attacks
• URL redirection attacks
• Password auto complete
• Cookie security
• Custom fuzzing
• Path manipulation—traversal
• Path truncation
• WebDAV auditing
• Web services auditing
• File enumeration
• Information disclosure
• Directory and path traversal
• Spam gateway detection
• Brute force authentication attacks

HP WebInspect – Key Features

Innovative assessment technology:
• Advanced client-side scripting technology to analyze JavaScript, Flash, and others
• Produce faster scans and more accurate results through simultaneous crawl and audit and concurrent scanning
• Advanced macro recording technology and flexible authentication handling for improved session management in complex applications
• Increase accuracy of detection using Intelligent Engines designed to imitate a hacker’s methodology
• List-driven assessments for targeted and efficient application scanning
• Optimizations for depth-first crawling option for websites that enforce order-dependent navigation
• Fingerprinting of Web framework using Smart Scan technology to reduce unnecessary attacks

Advanced web services security testing:
• Support for complex data types for rendering advanced WSDLs and specifying test data
• Automatically discover and audit web services embedded in an application
• Focused web service attacks and fuzzing
• Web Service Security Designer tool for configuring web service security tests

Refined and simple usability
• Quickly initiate simple or regression scans with minimal configuration for immediate results
• Walk through an intuitive wizard to setup a scan and begin reviewing results within seconds
• Review and control multiple simultaneous scans and reports through a tabbed interface
• Submit false positive reports and other feedback directly and securely to HP in just a couple clicks
• Create reusable, componentized macros to record testing steps and login procedures
• Develop custom attacks and policies quickly and easily using the custom check wizard

Actionable remediation and compliance reports:
• Run compliance reports for all major regulatory standards, including PCI, SOX, ISO, and HIPAA
• Create flexible, extensible, and scalable reports that match your business
• Simplify repetitive report generation through report templates
• Customize fonts, colors, and backgrounds with the style editor allowing you to generate scan reports with a professional, polished appearance
• Assess application security trends and readiness

Key integrations:
• Integrate into your defect management processes with out-of-the-box integrations with HP Quality Center
• Integrate into your enterprise application security management process with an out-of-the-box integration with HP Assessment Management Platform software
• Extensive data export via XML for open integration with other security management systems
• Include information from external data sources in your reports via ODBC, SQL, or XML connections

HP Security Toolkit:
• Report Designer: allows you to create new reports or customize the ones from HP, combine external data sources, edit the style, and create custom user input
• SQL injector: extract entire databases by using SQL injection vulnerabilities
• Cookie cruncher: analyze the strength of cookies to avoid session hijacking
• Encoder: translate different encryption and encoding standards
• HTTP editor: create and edit raw HTTP requests
• Regex editor: test and build regular expressions
• Web Service Test Designer: generate and edit raw Web services requests
• Web Fuzzer: identify buffer overflows using HTTP fuzzing or modify input variables
• Web Proxy: view every request and server response while browsing a site
• WebBrute: test the strength of login forms or Web and proxy authentication systems
• WebDiscovery: identify and discover which Web servers and Web applications are behind which ports
• Server analyzer: identify a Web server or device and perform deep SSL analysis
• Traffic monitor: monitor every HTTP request and response sent during the crawl and audit

HP WebInspect Real-Time:
• Integrated dynamic and real-time analysis to find more vulnerabilities and fix them faster
• Works in concert with HP Fortify SecurityScope to observe attacks at the code level during dynamic scans
• Identify and crawl more of an application to expand the coverage of the attack surface and detect new types of vulnerabilities
• Provides stack traces and line-of-code detail to confirmed vulnerabilities

Interactive vulnerability review and management:
• Streamlined vulnerability review process enables user to interact with test results
• Flexible vulnerability results view for grouping and filtering of results
• Displays detailed steps to reproduce a vulnerability and show how it was identified
• Retest a single vulnerability by re-executing the series of steps to validate or regression test a fix
• Enter manual findings and attach screenshots and documents to test results for better context and communication
• Persist test results across scans

Continue Reading: PureCloud - Cloud based Free Network Security Scanner