Ask HN: How do you perform penetration testing on your webapp?

[nabilt]

Is there a browser plugin or app that can help me reveal security holes in my web app? Something like a Metasploit for the web.

So far I've been writing my own tests, but there is no question someone smarter than me will find a vulnerability. There are a number of great resources on the different types of exploits and how to fix them, but I havent found anything to tell me if I've implemented the solution correctly.

[mtimur]

You can use Netsparker Community Edition (free) http://www.mavitunasecurity.com/communityedition/. It will scan your web application against SQL Injection and Cross-Site Scripting vulnerabilities.

[cd34]

ZmEu @ WhiteHat Team – www.whitehat.ro

is probably one of the more common ones. nessus http://www.tenable.com/products/nessus looks for published vulnerabilities as well, but that would be more along the lines of using an exploitable pop3 daemon or having phpmyadmin visible from your site. Zmeu does some of those scans, but, will also try to do SQL injection.

[seven]

Take a look at https://www.owasp.org/ and review your source code for common vulnerabilities.

A very helpful tool for testing: http://portswigger.net/burp/proxy.html

[nabilt]

OWASP looks great. Found some tools to help test CSRF (bottom of page) https://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-0...

Also found a large PDF about testing with suggestions for tools https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

More tools listed https://www.owasp.org/index.php/Appendix_A:_Testing_Tools

[fauxfauxpas]

http://samurai.inguardians.com/

[hmahncke]

tinfoil.com

[henzk]

i think you meant https://www.tinfoilsecurity.com/