Web Application Testing References And Resources
Today, we have multiple tools at our disposal when it comes to web application testing. Sometimes, it can be challenging to make the right decision when it comes to choosing a web application testing tool that fits your specific needs. There are endless factors that come into play when inspecting, verifying, and assessing code as multiple factors come into play that depends on the type of platform being used (e.g. a server cluster or virtual cloud-based system), the programming language being employed as well as the purpose of the web application itself.
We consistently have different varieties and levels of tests that are performed to ensure compatibility, uniformity, and compliance.
Web Application Firewall
- ModSecurity – ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
- NAXSI – NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX, NAXSI means Nginx Anti Xss & Sql Injection.
- sql_firewall SQL Firewall Extension for PostgreSQL
- ironbee – IronBee is an open source project to build a universal web application security sensor. IronBee as a framework for developing a system for securing web applications – a framework for building a web application firewall (WAF).
Scanning / Pentesting
- Spyse – Spyse is an OSINT search engine that provides fresh data about the entire web. All the data is stored in its own DB for instant access and interconnected with each other for flexible search. Provided data: IPv4 hosts, sub/domains/whois, ports/banners/protocols, technologies, OS, AS, wide SSL/TLS DB and more.
- sqlmap – sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
- ZAP – The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- OWASP Testing Checklist v4 – List of some controls to test during a web vulnerability assessment. Markdown version may be found here.
- w3af – w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
- Recon-ng – Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feel similar to the Metasploit Framework.
- PTF – The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
- Infection Monkey – A semi automatic pen testing tool for mapping/pen-testing networks. Simulates a human attacker.
- ACSTIS – ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.
- padding-oracle-attacker – padding-oracle-attacker is a CLI tool and library to execute padding oracle attacks (which decrypts data encrypted in CBC mode) easily, with support for concurrent network requests and an elegant UI.
- PhpSploit – Full-featured C2 framework which silently persists on webserver via evil PHP oneliner. Built for stealth persistence, with many privilege-escalation & post-exploitation features.
Runtime Application Self-Protection
- Sqreen – Sqreen is a Runtime Application Self-Protection (RASP) solution for software teams. An in-app agent instruments and monitors the app. Suspicious user activities are reported and attacks are blocked at runtime without code modification or traffic redirection.
- OpenRASP – An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
- API Security in Action – Book covering API security including secure development, token-based authentication, JSON Web Tokens, OAuth 2, and Macaroons. (early access, published continuously, final release summer 2020)
- Secure by Design – Book that identifies design patterns and coding styles that make lots of security vulnerabilities less likely. (early access, published continuously, final release fall 2017)
- Understanding API Security – Free eBook sampler that gives some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.
- OAuth 2 in Action – Book that teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server.
- OWASP ZAP Node API – Leverage the OWASP Zed Attack Proxy (ZAP) within your NodeJS applications with this official API.
- GuardRails – A GitHub App that provides security feedback in Pull Requests.
- Checkov – A static analysis tool for infrastucture as code (Terraform).