There are tons of tools available for performing web application security testing. Some of them are freeware/open-source while some are commercially available. The following table lists some of the basic tools that can be used effectively for performing web application security testing. Most of these tools are part of the default Kali Linux installation:
|
Test |
Tools required |
|
Information gathering |
Nikto, web developer plugin, Wappalyzer |
|
Authentication |
ZAP, Burp Suite |
|
Authorization |
ZAP, Burp Suite |
|
Session management |
Burp Suite web developer plugin, OWASP CSRFTester, WebScarab |
|
Input validation |
XSSMe, SQLMe, Paros, IBM AppScan, SQLMap, Burp Suite |
|
Misconfiguration |
Nikto |
|
Business logic |
Manual testing using ZAP or Burp Suite |
|
Auditing and logging |
Manual assessment |
|
Web services |
WSDigger, IBM AppScan web service scanner |
|
Encryption |
Hash identifier, weak cipher tester |