Free Web Application Security Testing Tool

Fri, 07 Aug 2009 08:02:38 GMT
by pdp

Automated Web Application Security Testing tools are in the core of modern penetration testing practices. You cannot rely 100% on the results they produce, without considering seriously their limitations. However, because these tools are so good at picking the low-hanging fruit by employing force and repetition, they still have a place in our arsenal of penetrating testing equipment.

These tools are not unfamiliar to modern day penetration testers. In fact, there are plenty of them to choose from, ranging from low-grade command line utilities to high-end frameworks. There are plenty of commercial tools as well some of which are a lot better, in terms of features and false-positives rate, when compared to open source alternatives. People often choose what they are more familiar with. I prefer to use tools that are right for the job without discriminating a particular operating system, platform, and style.

Without further ado, I would like to introduce to you yet another tool to compete in the market of automated web application security scanners (not only), released as part of our own Websecurify initiative. The tools is called Websecurify (big surprise) and it is written on the top of common web technologies, which provide significant benefit over other technologies used in open source and commercial alternative products.

Here are some of the key features of Websecurify:

  1. It is 100% open source, GPL, CC product, ready to benefit the open source movement
  2. The engine employs technologies, such as Web Workers, from the latest HTML5 specs
  3. Most of the code is written in JavaScript but many parts can be rewritten or extended with Python, Java and C
  4. The core engine can be taken out from the binary bundles and used as part of self-defending web applications. I will talk about this soon.
  5. The testing and reporting mechanisms are asynchronous. This means that the report is cooking while the test is performed. It also means that decisions are taken immediately, i.e. they are not scheduled.
  6. The tool is cross-platformed thanks to xulrunner
  7. Everything is written with extensibility in mind
  8. It can be extended in pretty much the same way you can extend Firefox and Thunderbird

There are many other features, which I am going to talk about soon.

At the moment the tool is only available as a MacOS DMG package and source code. The Windows and Linux versions will be released soon. In the future we are planning release all platform specific packages at the same time. Now is just an exception as we are mostly interested to get an early feedback. I am sure that that there will be a lot of bugs to fix and features to add/improve before we reach version 1.0. Version 0.2 can be downloaded from www.websecurify.com or our source code repository.

If you have any feedback or you would like to contribute to this project, please do let us know. We can use any help possible.

Archived Comments

FaNtAFaNtA
Windows Downloadlink doesn't work :(
meme
Not Found The requested URL /files/Websecurify%200.2.exe was not found on this server.
DanDan
Hey, I really appreciate your site and how you people use your talent for good. However I hate coming to sites like these because quite frankly they scare me a bit. Is the web eventually going to lead us into a deathtrap? Anyway, my question to you is, do you think the internet as a whole could ever be secure and reliably safe?
pdppdp
hi FaNtA, the windows version is cooking at the moment
pdppdp
hi Dan, IMHO, technology-wise things are getting better although you see more and more hacking incidents happening. The biggest problems that face the Web and the Internet in general are mostly related to bad practices. In a system composed of humans and machines, the human is always the weakest link.
kenrtxkenrtx
Woot! Another web app tester, keep em comin. Unfortunately I do not have my Mac anymore. :( Email me once it's ready? No information on the product site, does it test signature libraries like the OWASP top 10 or is that something we'll have to add? Tell us more.
pdppdp
hi kenrtx, the windows and linux versions are coming along nicely. keep in mind that the we are only releasing version 0.2 which to be honest is not very advanced. however, we've got a solid framework which we can build on. saying that, websecurify pro is also coming along quite nicely and should be available for download soon.
ChrisChris
Terrific tool. Like the simplicity of the interface and the results. Would be even better if there were a way to save the results to a file, or even just copy the vulnerable URL to do manual verifications (did not see a way to do this on the mac verison).
ttyXttyX
Links don't work
pdppdp
10x Chris, 0.3 will have features to select the text. we are also soon to release websecurify pro which will add more features for professional penetration testers
pdppdp
ttyX, we don't have windows and linux versions just yet
dillondillon
please release a linux/windows version(s) this is exactly the software i am looking for
pdppdp
dillon, 0.3 will be released for mac, windows and linux platforms.
Venom23Venom23
The windows link doesn't work. ;) *just kidding* So - I have Linux and Windows machines ... which means that I do have to wait *sob* Do you post project changes on twitter as well?
pdppdp
Venom23, yes I will post updates on twitter as well
infamousjeffinfamousjeff
Good job! Adding extensibility with Python or C really opens it up. Love xulrunner sdk. Looking forward to the Linux/Windows release.
HannibalHannibal
Damn this thing is good... Looking forward for the Pro version. I could use it as I'm a security tester here in my company. Of course i will give all the credit to Teh Tool! :) Thanks guys for using you knowledge to help us mortals to defend against a harsh, cruel world!
Gaurav ChaturvediGaurav Chaturvedi
Awesome tool
MunankarmiMunankarmi
Nice tool, now windows downlink also work. nice tool to secure website.
DarkmailerDarkmailer
keep up the good work pdp,you have my total support. More blessings. @Dan, dont be scared, just make sure that you are well tested and are secured ! security is an on going process so you have just to be one step ahead of the 'real' bad guys out there who want to rape you and leave you for dead, pdp is a good guy and he is doing all these things to make web users more safe based on assurance and testing of our security by releasing more tools and wetware to increase knowlegde. Thank you Mr pdp and the rest of all the security companies. Your blessed.
steve lusbysteve lusby
Will the proposed legislation by senator Lieberman to allow the Government to suspend internet activity for security emergencies allow for security testing or experimentation not otherwise possible during normal internet activity?
Warrior0216Warrior0216
Hey, just for the record, I think the spanish word for free is "gratis". You know, not that it matters...
sclusby12@gmail.com[email protected]
I downloaded your free security tool and no Icon was made and I can't find it in my programs, can you help me with this I would really like to try it. Thanks very much, Steve.
pdppdp
Steve, if you follow the wizard you should be able to get the application up and running in no time.