
Ask HN: Looking for recommendations on decent penetration testing tools - 51Cards
We recently had an attack on one of our web applications and following the logs led me to Burp Suite  https:&#x2F;&#x2F;portswigger.net&#x2F;   I wasn&#x27;t aware that automated tools like this existed and  I would be interested in running one across our suite of web applications.  Any recommendations?  Thanks in advance.
======
alltakendamned
Hi,

Burp Suite Pro is indeed the tool of the trade when performing penetration
testing of web applications. I would however not call it an automated tool.

While it contains some automated test functionality (Active Scan), using this
functionality will by no means give you a conclusive answer on whether there
are vulnerabilities present in your application. As an example in my case, I
use Active Scan together with other tools and techniques to perform attack
surface analysis, so figuring out interesting parts of the application that
can receive some priority when looking for bugs.

I would strongly suggest to enlist the help of a professional security company
to perform the security assessment and to also verify whether the application
and system in question has been compromised in the previous attack.

That being said, I do indeed think it's a good idea to use tools like Burp
during the development cycle, and also to invest in secure development
training.

~~~
_jdams
I am looking to get more into web app testing - Side note: I already have a
NetSec degree and work in the field. Should I be pursuing the GWAPT: GIAC Web
Application Penetration Tester? Should I just be working through the OWASP Top
10 manual and learn/practice the "Top 10s" first? Thanks !

~~~
alltakendamned
Sorry for the late reply, I missed it.

I suggest you start by having a look at the OWASP Top 10 and the OWASP Testing
guide. Also read the Web Application Hackers Handbook 2nd Edition and learn
how to use Burp Suite Pro.

I personally have not taken GWAPT so cannot comment on it, but the OSCP
certification from Offensive Security is well regarded.

Good luck

------
peternicky
Check out kali Linux which included many tools including metasploit.

------
elyrly
[https://pages.bugcrowd.com/vulnerability-rating-
taxonomy](https://pages.bugcrowd.com/vulnerability-rating-taxonomy)

Outlines the different security priority, as mentioned above Burp is a great
tool for web app testing

------
graystevens
If it is web-based attacks which are of interest to you at the moment,
consider looking into the OWASP Top 10, and also a web application scanner
such as Nikto. These should give you a good insight and prompt you with some
further avenues to explore.

------
megraf
Seconded for Kali (formally backtrack). The amount of tutorials, resources,
etc. are more than enough to get you started.

Good luck!

~~~
bgdkbtv
Downloading Kali now. Are you talking about YouTube tutorials or do you have
something specific in mind? I only know Cybrary as the only decent resource
for beginner pentesters.

