

Ask HN: How do you perform penetration testing on your webapp? - nabilt

Is there a browser plugin or app that can help me reveal security holes in my web app? Something like a Metasploit for the web.<p>So far I've been writing my own tests, but there is no question someone smarter than me will find a vulnerability. There are a number of great resources on the different types of exploits and how to fix them, but I havent found anything to tell me if I've implemented the solution correctly.
======
mtimur
You can use Netsparker Community Edition (free)
<http://www.mavitunasecurity.com/communityedition/>. It will scan your web
application against SQL Injection and Cross-Site Scripting vulnerabilities.

------
cd34
ZmEu @ WhiteHat Team – www.whitehat.ro

is probably one of the more common ones. nessus
<http://www.tenable.com/products/nessus> looks for published vulnerabilities
as well, but that would be more along the lines of using an exploitable pop3
daemon or having phpmyadmin visible from your site. Zmeu does some of those
scans, but, will also try to do SQL injection.

------
seven
Take a look at <https://www.owasp.org/> and review your source code for common
vulnerabilities.

A very helpful tool for testing: <http://portswigger.net/burp/proxy.html>

~~~
nabilt
OWASP looks great. Found some tools to help test CSRF (bottom of page)
[https://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-
SM-0...](https://www.owasp.org/index.php/Testing_for_CSRF_\(OWASP-SM-005\))

Also found a large PDF about testing with suggestions for tools
<https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf>

More tools listed <https://www.owasp.org/index.php/Appendix_A:_Testing_Tools>

------
fauxfauxpas
<http://samurai.inguardians.com/>

------
hmahncke
tinfoil.com

~~~
henzk
i think you meant <https://www.tinfoilsecurity.com/>

