Application Security Scanning Tools

by

Can free Web application security scanning tools be used to supplement tight security budgets? Expert Michael Cobb weighs in with some pros and cons for such tools. 13 must-have security tools. I’d replace anti-malware scanning with an application-control solution to prevent the execution of all unauthorized code, which keeps the vast majority of malware.

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

  1. Oct 04, 2018  Intro to Web Application Security Scanners Burp Suite: Burp Suite is a set of tools for evaluating web application’s security. Netsparker: With support for both detection and exploitation of vulnerabilities. Arachni: Arachni is a feature-full, modular; high-performance Ruby framework.
  2. Additional Vulnerability Assessment Scanning Tools. Below are a few more additional vulnerability tools that are used by a few other organizations. Nmap (Network Mapper) is a free and an open source security scanner used to determine hosts and services on a network by structuring the map of the computer network.
  3. Intro to Web Application Security Scanners. Web application plays an important role in an organization and possesses a great impact and gateway to organization’s critical information. However, hackers always look ahead to breach into corporate information and application to steal confidential and critical information.
  4. Being an open source application, Retina CS presents complete support for virtual environments like vCenter integration, virtual app scanning etc. Microsoft Baseline Security Analyzer (MBSA) MBSA is a free Microsoft tool ideal for securing a Windows computer based on the specifications or guidelines set by Microsoft.
  5. Application security tools from Veracode. The application security tools in Veracode’s cloud-based service are purpose-built to deliver the speed and scale that development teams need to secure applications while meeting build deadlines.

Strengths and Weaknesses

Strengths

  • Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
  • Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
  • Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

Weaknesses

  • Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
  • High numbers of false positives.
  • Frequently can't find configuration issues, since they are not represented in the code.
  • Difficult to 'prove' that an identified security issue is an actual vulnerability.
  • Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

Important Selection Criteria

  • Requirement: Must support your programming language, but not usually a key factor once it does.
  • Types of vulnerabilities it can detect (out of the OWASP Top Ten?) (plus more?)
  • How accurate is it? False Positive/False Negative rates?
    • Does the tool have an OWASP Benchmark score?
  • Does it understand the libraries/frameworks you use?
  • Does it require a fully buildable set of source?
  • Can it run against binaries instead of source?
  • Can it be integrated into the developer's IDE?
  • How hard is it to setup/use?
  • Can it be run continuously and automatically?
  • License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

OWASP Tools Of This Type

Disclaimer

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

Open Source or Free Tools Of This Type

  • Bandit - bandit is a comprehensive source vulnerability scanner for Python
  • Brakeman - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
  • Codesake Dawn - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
  • Deep Dive - Byte code analysis tool for discovering vulnerabilities in Java deployments (Ear, War, Jar).
  • FindBugs - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
  • FindSecBugs - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
  • Flawfinder Flawfinder - Scans C and C++
  • Google CodeSearchDiggity - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
  • Graudit - Scans multiple languages for various security flaws.
  • LGTM - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
  • .NET Security Guard - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
  • phpcs-security-audit - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
  • PMD - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
  • PreFast (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
  • Progpilot - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
  • Puma Scan - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
  • Pyre - A performant type-checker for Python 3, that also has limited security/data flow analysis capabilities.
  • RIPS - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
  • Sink Tank - Byte code static code analyzer for performing source/sink (taint) analysis.
  • SonarQube - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.
  • SpotBugs - This is the active fork replacement for FindBugs, which is not maintained anymore.
  • VisualCodeGrepper (VCG) - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list.

Commercial Tools Of This Type

  • Application Inspector (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
  • Application Security on Cloud (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service.
  • AppScan Source (IBM)
  • BlueClosure BC Detect (BlueClosure) - Analyzes client-side JavaScript.
  • bugScout (Nalbatech, Formally Buguroo)
  • CAST AIP (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. AIP's security specific coverage is here.
  • Codacy Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
  • CodeSonar tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.
  • Contrast Assess (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
  • Coverity Code Advisor (Synopsys)
  • CxSAST (Checkmarx)
  • Fortify (Micro Focus, Formally HP)
  • Hdiv Detection (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.
  • Julia (JuliaSoft) - SaaS Java static analysis
  • KlocWork (KlocWork)
  • Kiuwan (an Optimyth company) - SaaS Software Quality & Security Analysis
  • Parasoft Test (Parasoft)
  • PITSS.CON (PITTS)
  • PT Application Inspector combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
  • Puma Scan Professional - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
  • PVS-Studio (PVS-Studio) - For C/C++, C#
  • reshift - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.
  • RIPS Code Analysis (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.
  • SecureAssist (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)
  • Sentinel Source (Whitehat)
  • Seeker (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
  • Source Patrol (Pentest)
  • Thunderscan SAST (DefenseCode)
  • Veracode Static Analysis (Veracode)
  • Xanitizer - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [1]).

More info

  • DAST Tools - Similar info on Dynamic Application Security Testing (DAST) Tools
  • Free for Open Source Application Security Tools - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source
Retrieved from 'https://www.owasp.org/index.php?title=Source_Code_Analysis_Tools&oldid=253609'

Learn Vulnerability Scanning

Learn about vulnerability scanning tools.
This skills course covers

⇒ Application and container scans
⇒ Analyzing vulnerability scans
⇒ Vulnerability scanning

Start your free trial

In the past, many popular websites have been hacked. Hackers are now active and always try to hack websites and leak data. This is why security testing of web applications is very important. And here comes the role of web application security scanners. Web Application Security Scanner is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities.

Various paid and free web application vulnerability scanners are available. In this post, we are listing the best free open source web application vulnerability scanners. I am adding the tools in random order. So please do not think it is a ranking of tools.

I am only adding open source tools which can be used to find security vulnerabilities in web applications. I am not adding tools to find server vulnerabilities. And do not confuse with free tools and open source tools. Because there are various other tools available for free, but they do not provide source code to other developers. Open source tools are those which offer source codes to developers so that developers can modify the tool or help in further development.

These are the best open source web application penetration testing tools:

1. Grabber

Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:

  • Cross site scripting
  • SQL injection
  • Ajax testing
  • File inclusion
  • JS source code analyzer
  • Backup file check

It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications.

This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was designed to be simple and for personal use. You can try this tool just for personal use. If you are thinking of it for professional use, I will never recommend it.

This tool was developed in Python. And an executable version is also available if you want. Source code is available, so you can modify it according your needs. The main script is grabber.py, which once executed calls other modules like sql.py, xss.py or others.

Download it here: http://rgaucher.info/beta/grabber/

Source code on Github: https://github.com/neuroo/grabber

2. Vega

Vega is another free open source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI based environment. It is available for OS X, Linux and Windows.

It can be used to find SQL injection, header injection, directory listing, shell injection, cross site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.

While working with the tool, it lets you set a few preferences like total number of path descendants, number of child paths of a node, depth and maximum number of request per second. You can use Vega Scanner, Vega Proxy, Proxy Scanner and also Scanner with credentials. If you need help, you can find resources in the documentation section:

Documentation: https://subgraph.com/vega/documentation/index.en.html

Download Vega: https://subgraph.com/vega/

3. Zed Attack Proxy

Zed Attack Proxy is also known as ZAP. This tool is open source and is developed by AWASP. It is available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications.

These are the key functionalities of ZAP:

  • Intercepting Proxy
  • Automatic Scanner
  • Traditional but powerful spiders
  • Fuzzer
  • Web Socket Support
  • Plug-n-hack support
  • Authentication support
  • REST based API
  • Dynamic SSL certificates
  • Smartcard and Client Digital Certificates support

You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.

Download ZAP : https://github.com/zaproxy/zaproxy

4. Wapiti

Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.

Application Security Scanning Tools

It can detect following vulnerabilities:

  • File Disclosure
  • File inclusion
  • Cross Site Scripting (XSS)
  • Command execution detection
  • CRLF Injection
  • SEL Injection and Xpath Injection
  • Weak .htaccess configuration
  • Backup files disclosure
  • and many other
Security

Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation.

Download Wapiti with source code: http://wapiti.sourceforge.net/

5. W3af

W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It is developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, Cross-Site Scripting and many others.

It comes with a graphical and console interface. You can use it easily by using its easy to understand interface.

If you are using it with Graphical Interface, I do not think that you are going to face any problem with the tool. You only need to select the options and then start the scanner. If a website needs authentication, you can also use authentication modules to scan the session-protected pages.

We have already covered this tool in detail in our previous W3af walkthrough series. You can read those articles to know more about this tool.

You can access source code at the Github repository: https://github.com/andresriancho/w3af/

Download it from the official website: http://w3af.org/

Ethical Hacking Boot Camp — Exam Pass Guarantee

6. WebScarab

WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool. This tool works as an intercepting proxy. So, you can review the request and response coming to your browser and going to thw server. You can also modify the request or response before they are received by server or browser.

If you are a beginner, this tool is not for you. This tool was designed for those who have a good understanding of HTTP protocol and can write codes.

Webscarab provides many features which helps penetration testers work closely on a web application and find security vulnerabilities. It has a spider which can automatically find new URLs of the target website. It can easily extract scripts and HTML of the page. Proxy observes the traffic between server and your browser, and you can take control of the request and response by using available plugins. Available modules can easily detect most common vulnerabilities like SQL injection, XSS< CRLF and many other vulnerabilities.

Source code of the tool is available on Github: https://github.com/OWASP/OWASP-WebScarab

Download WebScarab here: https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

7. Skipfish

Skipfish is also a nice web application security tool. It crawls the website and then check each pages for various security threats and at the end prepares the final report. This tool was written in C. It is highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle 2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling and testing web pages. This tool also claims to offer high quality and less false positives.

This tool is available for Linux, FreeBSD, MacOS X and Windows.

Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/

8. Ratproxy

Ratproxy is also an open source web application security audit tool which can be used to find security vulnerabilities in web applications. It is supports Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

This tool is designed to overcome the problems users usually face while using other proxy tools for security audits. It is capable of distinguishing between CSS stylesheets and JavaScript codes. It also supports SSL man in the middle attack, which means you can also see data passing through SSL. You can read more about this tool here: http://code.google.com/p/ratproxy/wiki/RatproxyDoc

Download http://code.google.com/p/ratproxy/

9. SQLMap

SQLMap is another popular open source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerability in a website’s database. It has a powerful detection engine and many useful features. So, a penetration tester can easily perform SQL injection check on a website.

It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band.

Access the source code on Github repository: https://github.com/sqlmapproject/sqlmap

Download SQLMap here: https://github.com/sqlmapproject/sqlmap

10. Wfuzz

Wfuzz is another freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, Proxy, Authentication, parameters brute forcing, multiple proxy and many other things. You can read more about the features of the tool here: http://code.google.com/p/wfuzz/

This tool does not offer a GUI interface, so you will have to work on command line interface.

Download Wfuzz from code.google.com: http://code.google.com/p/wfuzz/

Sep 02, 2019  Download Virtual MIDI Piano Keyboard for free. Virtual MIDI controller for Linux, Windows and OSX. VMPK is a virtual MIDI piano keyboard for Linux, Windows and OSX. Based on Qt and Drumstick the program is a MIDI event generator using the computer's alphanumeric keyboard and the mouse. Whether you're looking for a wireless keyboard, bluetooth, ergonomic or media keyboard, Microsoft Hardware offers a variety of computer keyboards to fit your needs. Aug 09, 2012  Use PC 73 Virtual Piano Keyboard on your PC in stand-alone mode for checking musical notes, intervals, chords, tuning instruments by ear, testing simple melodies. ROSEWILL Mechanical Gaming Keyboard, RGB Backlit Clicky Computer Mechanical Keyboard for PC, Laptop, Mac, Rainbow LED Modes with Side Backlight & Software Suite for Customization – Blue Switch. Casio keyboard software for pc. Mouse and Keyboard Center helps you personalize and customize how you work on your PC. Tailor your mouse and keyboard to meet your unique needs and work style. Modify your mouse and keyboard settings to make it easier to use the unique features of most PC apps. Effortlessly transition to Mouse and Keyboard Center from existing device management.

11. Grendel-Scan

Grendel-Scan is another nice open source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh. This tool was developed in Java.

Download the tool and source code: http://sourceforge.net/projects/grendel/

12. Watcher

Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but is an add-on of Fiddler. So you need to first install Fiddler and then install Watcher to use it.

It quietly analyzes the request and response from the user-interaction and then makes a report on the application. As it is a passive scanner, it will not affect the website’s hosting or cloud infrastructure.

Download watcher and its source code: http://websecuritytool.codeplex.com/

Port Scanning Tools

13. X5S

X5s is also a Fiddler add-on which aims to provide a way to find cross-site scripting vulnerabilities. This is not an automatic tool. So, you need to understand how encoding issues can lead to XSS. You need to manually find the injection point and then check where XSS can be in the application.

We have covered the X5S in a previous post. So, you can refer to that article to read more about X5S and XSS.

Download X5S and source code from codeplex: http://xss.codeplex.com/

You can also refer to this official guide to know how to use X5S: http://xss.codeplex.com/wikipage?title=tutorial

14. Arachni

Arachni is an open source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL Injection, XSS, Local File inclusion, remote file inclusion, unvalidated redirect, and many others.

Download this tool here: http://www.arachni-scanner.com/

Final Word

These are the best open source web application security testing tools. I tried my best to list all the tools available online. If a tool was not updated for many years, I did not mention it here. Because if a tool is more than 10 years old, it can create compatibility issues in the recent environment. If you are a developer, you can also join the developers’ community of these tools and help these tools to grow. By helping these tools, you will also increase your knowledge and expertise.

If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.

If you think I forgot to mention an important tool, you can drop a comment and I will try to add it.

Read more articles about penetration testing tools: