I am planning to check my website against all common security vulnerabilities like cross site scripting ,sql injection etc. Can somebody tell me is there any automated tool which I can run for my .net web app and find all security flaws exist. I tried CAt.net but it is not able to support big apps. i saw abt owsap but againt it is also not automated one. I am looking for something which can tell me file name and method name etc.
1. Zed Attack Proxy (ZAP) Developed by OWASP (Open Web Application Security Project), ZAP or Zed Attack Proxy is a multi-platform, open-source web application security testing tool. ZAP is used for finding a number of security vulnerabilities in a web app during the development as well as the testing phase.
What are SAST and DAST? SAST and DAST are application security testing methodologies used to find security vulnerabilities that can make an application susceptible to attack. Static application security testing (SAST) is a white box method of testing.
The main difference between DAST and SAST lies in how each performs the security testing. SAST scans the application code at rest to discover faulty code posing a security threat, while DAST tests the running application and has no access to its source code.
There are a few free tools for automated vulnerability discovery.
Skipfish - open source automated web application scanner http://code.google.com/p/skipfish/ Actively developed and maintained
GrendelScan - open source automated web application scanner http://grendel-scan.com/
Netsparker Community Edition http://www.mavitunasecurity.com/communityedition/ Free, limited version of Netsparker
RatProxy Non-intercepting proxy that performs vuln discovery http://code.google.com/p/ratproxy/
Here are a few to get you started.
The best approach is to perform manual testing and use automated testing to cover 'low-hanging fruit' scenarios.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With