Which software security testing tools do you use?

Hey guys!

I’m writing an article about software security testing tools. I wonder if any of you could share your experience. Have you used tools like Netsparker, Zed Attack Proxy, or Nessus, or perhaps there are better options? What were the pros and cons of using the tool?

I would really appreciate the feedback from pentesters, security experts, or anyone possessing hands-on experience with security testing tools.

Hello,

Security testing plays an important role in the software development process. Security testing helps us to identify security-related issues, weakness. These security testing tools are very helpful to know the unknown vulnerabilities from the application. Here is the list of Penetration Testing tools for 2021.

• Netsparker
• Acunetix
• Intruder
• Indusface
• Intrusion Detection Software
• Traceroute NG
• ExpressVPN
• Owasp
• WireShark
• w3af

Thank you very much for your answer! Can you highlight the pros and cons you noticed while was using it? Especially cons are interesting for me. Maybe you remember something you found annoying as a user?

Nice question!

Before discussing the tools that are used for software security testing, Don’t you think!!!.. Firstly, we should know “What exactly the Software Security Testing is and why we need to do it?” Right!

So, let’s start!!!

Software security testing is performed in software testing services company to ensure that software systems and applications are free from any vulnerabilities, threats, and risks that may cause these tremendous losses.

Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, and reputation caused by employees or malicious external hackers.

With the information provided from testing, development teams can fix any vulnerabilities before malicious hackers exploit them.

The following are the critical areas that are covered by Security testing:-

• Confidentiality
• Authentication
• Authorization
• Integrity
• Non-repudiation
• Availability

Now, our next question is "Why we need to do Software Security Testing?"

Here, is an answer to your question:

-The primary purpose of security testing is to identify the security leakage and fix it in the initial stage itself. This helps to rate the stability of the current system and also helps to stand in the market for a longer time.

Security testing helps to avoid the following:

• Loss of important information.
• Loss of customer’s trust.
• Inconsistent website performance.
• Unexpected breakdown.
• Additional costs required for repairing websites after an attack.
• Information theft by an unauthorized user.

Finally, we have reached the last and the most important question " Which tools are used for software security testing?"

The following are some widely recommended tools used for software security testing:

1. SonarQube

• It is an open-source tool that is used to measure the quality of source code.

• Though written in Java, it can analyze over twenty different programming languages. It can easily integrate with continuous integration tools like Jenkins server, etc. The results will be populated to the SonarQube server with ‘green’ and ‘red lights’.

• Nice charts and project level issue lists can be viewed. We can invoke it from the GUI as well as the command prompt.

2. Klocwork

• It is a code analysis tool that is used to identify a security, safety, and reliability issues of the programming languages like C, C++, Java, and C#.

• We can easily integrate it with continuous integration tools like Jenkins and can also raise bugs in Jira upon encountering new issues.

3. NetSparker

• Netsparker has out-of-the-box support for several popular issue tracking, CI/CD, and other services used in development environments. Though if you use a system for which Netsparker does not have out of the box support you can always use the REST API.

• It works with Proof-Based Scanning, an exclusive technology that automatically verifies identified vulnerabilities, proving they are and not false positives.

4. Nmap

• In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

• Nmap has been used to scan huge networks of hundreds of thousands of machines.

• Significant effort has been put into comprehensive resources for it such as whitepapers, tutorials, and even a book. You can find them in multiple languages.

• It’s well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. You can also find Nmap on Facebook and Twitter.

5. OWASP Zed Attack Proxy

• It’s designed to be used by both beginners and professionals.

• Cross-platform – works across all OS (Linux, Mac, Windows).

• ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

6. Sboxr

• Sboxr finds issues by just browsing through your site, there’s almost no learning curve.

• The creators of Sboxr will help you in understanding, validating or remediating issues through its professional support.

7. VAddy

• It’s the easiest tool to use if you want to add security checks into your CI pipeline.

• There is no tool to install or any special settings to configure.

8. Burp Suite

• The decoder tool in Burp Suite does the job of encoding and decoding data. A web application penetration tester needs to be able to understand the type of encoding that has been applied and then successfully decode the piece of data.

• Comparer tool: Useful for when you want to see how different values for parameters and headers enable subtle changes in the responses that you receive. It allows you to see how the application reacts to a valid user, invalid password combination compared to an invalid user, and invalid password combination.

• When you might be working on multiple projects for a client, the ability to Save State and Restore State comes in handy.

9. Acunetix

• With this tool, it’s possible to easily find and report many types of web weaknesses such as SQL injection, blind SQL injection, cross-site scripting, CRLF injection, code execution, directory traversal, file inclusion, and authentication bypass.

• Detailed penetration scenarios can be performed with Acunetix’s HTTP Editor, HTTP Sniffer, HTTP Fuzzer, WVS Scripting Tool, and Blind SQL Injector tools for advanced penetration testing processes.

• With the support of captcha, single sign-on and two-factor authentication, Acunetix can adapt to any kind of Web application.

Conclusion:

Software testing tools are pivotal in a software testing services company’s business strategy. To overlook system and information security is akin to business suicide. As crucial as software testing is, and as useful as software testing tools are, the implementation process is highly customized to suit the need of the business.

For this reason, it is important to have a trusted software security testing vendor.

@skillinen, fyi, you would be interested in this post.

With the tools you’re naming, I’m going to assume you’re testing web applications. Some of the best tests you can run are:

• Fuzzing - throw a lot of data at an application, log its responses, and look for patterns. If you notice that a certain character always causes a 500, for instance, you probably have a parser somewhere that can’t handle that input. Fuzzing is useful for functional and security testing. Fuzzing with attack strings is a great way to find vulnerabilities in your code, and also a great way to cause an enormous mess in your test environment.
• Dynamic scanning or DAST (dynamic application security testing) - what a lot of people mean when they say “security testing.” Intercepting proxies such as ZAP and Burp have some prebuilt dynamic scanning features. You can get a lot of benefit out of customizing them for your application.

Zed Attack Proxy is my favorite for manual exploration and fuzzing. It’s similar to Burp Suite, but free, open source, and maintained by OWASP, who I like. The custom fuzzing options are really nice - you can build wordlists or sample strings tuned to your application, and get more useful results than you can from most stock wordlists.

Its UI can be confusing, especially for someone who has never used an intercepting proxy before.
If you’re in a multi-domain Windows environment, it also does not like Kerberos, but that’s enough of an edge case that I have no qualms about recommending it.

BurpSuite is another intercepting proxy that does a good job of scanning web applications. I find its UI even more cluttered than ZAP’s, and many features I rely on are paid only.

Postman is excellent for APIs, and you can script it to do almost whatever you want. It has nice sharing features, so that you can have multiple teammates collaborate on a single test set.

ReadyAPI is …okay? I like it less than Postman for security testing. It integrates Groovy scripting, so you can do some interesting things with it, but I found it to require a lot of maintenance.

Wireshark is an amazingly powerful tool when you need to go to the protocol level and examine traffic between your applications. It’s unrivaled for its power and flexibility. Read or watch some tutorials; Wireshark is a deep subject in and of itself, and I found the online documentation somewhat difficult to work through.

As mentioned above, nmap is a tremendously powerful network scanner. It can not only map networks, but has many prebuilt security tests, and a huge market of scripts that you can run. Just like anything, if you are downloading code from an untrusted source (nmap scripts!) be very sure you know what it does before you run it.

Beware: some appliances do NOT like nmap scans. Talk to your Ops team before you start throwing packets around.

Here’s a bit of my list:

1. OWASP ZAP
   Easy to integrate Vulnerability Scanner into the pipeline.
   Also easy to use for manual testing, brute forcing, fuzzing etc. (some may use BurpSuite)

2. Snyk
   Automatically find, prioritize and fix vulnerabilities in the open source dependencies used to build your cloud native applications

3. OneListForAll & Big List of Naughty Strings
   GitHub - six2dez/OneListForAll: Rockyou for web fuzzing
   A list of words used for bruteforcing
   GitHub - minimaxir/big-list-of-naughty-strings: The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

4. Crunch
   crunch | Penetration Testing Tools
   Wordlist generator

5. Knockpy
   GitHub - guelfoweb/knock: Knock Subdomain Scan
   Awesome tool to find subdomains.

So, looking at getting started in the area, it’s perplexing. Burpsuite is just an Everest sized mountain to use in demo mode, because you don’t seem to be able to save anything you just did between sessions. For a beginner it’s daunting, and £300 for a license is really steep. Am I understanding things correctly, it’s not a tool I would pay for out of my pocket and take with me as a skill later on?

As someone who is looking for some help navigating, with a goal to only “modify requests” maliciously and not wanting to “API” test an app at all, what is the right learning track to jump into? Postman appears to be the tool to use, if I’m not wanting to learn about scanning at all?

You can do that in the free version of BurpSuite, I’m doing that also. Just go to HTTP History & send to Repeater. The only downpart is, if you wish to use Intruder it’s very limited & slow. That’s why I often use ZAP for it.

Extra contribution to the thread of things I use (depending on your needs):

• GitHub - s0md3v/XSStrike: Most advanced XSS scanner.
• GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
• GitHub - nerrorsec/GoogleDorker: This is a simple tool to automate google hacking when doing web penetration testing or bug hunting.
• GitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters
• GitHub - hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
• You can find some nice automated tools by TomNomNom here: tomnomnom (Tom Hudson) · GitHub
• GitHub - ticarpi/jwt_tool: A toolkit for testing, tweaking and cracking JSON Web Tokens
• GitHub - ffuf/ffuf: Fast web fuzzer written in Go

If you really want to get into it, you should follow some influencers and bug bounty platforms.
They often do demo’s of tools & interviews with bug bounty hunters and they’ll tell you more about what they use.

Kristof. Right now it’s a lot of word-soup because it’s a big bag of things to take in. I’m kind of hoping that by gaining some background I can later focus on just one area. I’m really relying on our security tester to do most of the scans and specific feature test explorations. I’ve decided to follow a few folk and gradually build up background.

So far, I suspect I want to use Burpsuites repeater tool, yes. Keen to learn how to simulate service errors, as well as simulate someone injecting malicious java into an app. And for example work out how to expire web-tokens to force an app to error on demand at a very specific point in the application lifecycle. All with my very basic java skill, something the tools assume you already are proficient in. I’m expecting a long journey

I would like to advise you to read security reports; that has been a big help for me when I started doing security for ‘real’ => https://twitter.com/disclosedh1 is a bot that tweets publicly disclosed reports from HackerOne

A good book with real life examples is: Real-World Bug Hunting: A Field Guide to Web Hacking

If you want to get into security there is a saying: Don’t just learn Security, learn hacking.
I’ve followed several courses on Udemy/Pluralsight etc but the real hands on experience is different.

Some good practice labs:

• https://www.hackthebox.eu/
• https://tryhackme.com/
• https://www.pentesteracademy.com/

And if you feel a bit confident you can start doing bug bounty programs.
I would advise to start learning and mastering 1-3 vulnerabilities and search for these in programs, such as IDOR, XXE, OpenRedirect, XSS, … don’t try to do them all at once.

If you are exploring a program and you see a CSV export, then learn about CSV Injection and try it out.

EDIT: You don’t really need programming skills… I mean you do but depending on what you want to do.
JavaScript is always useful when doing XSS of course. But Java isn’t required to test for IDORs, SSRF, XXE or OpenRedirects etc…

If you wish to code your own programs, Python is probably the nr 1 go to
But someone might have already written it, so no need to re-invite the wheel twice

That’s true and normal. Security is such a large area. Pick a topic you wish to focus on and just start out with that. At the beginning it might seem impossible or a lot… but once you get rolling you’ll notice it’s not that hard and ow so so so sooooooo much fun
Especially when you find a security breach/hole… a P1… you’ll get so much adrenaline. It’s better then sports

noSleep1077×909 82.9 KB

LOL, I have at least got isolation so it’s easy to make sure I’m always only testing things non-production. There is definitely a bit of mindset to get into here, I keep coming at things from a white-box perspective and need to instead think “malicious” the whole time while learning all these techniques.

Big yup!
See an export? CSV Injection! Be careful because eventually when you are browsing other websites you might get tempted

That feeling when you see:
/viewinvoice.php?id=1234 in the URL of an application you don’t have permission to test.