Web application security testing might seems intimidating and esoteric to many web administrator, especially to the new ones. Have you ever asked yourself why so many IT professionals ignore the security aspects of the applications? We seem to have a tendency to ignore things that is unperceivable. You become concern when something breaks or any security breach occurs in our IT systems. The truth is there a number of efficient and open source web security vulnerabilities analysis tools that you can easily earn and use to implement IT security best practices to your IT department.
Good news for those who are new to web security is that once you have the basic understanding of the most common web app vulnerabilities, you will find it much easier to protect your application from various types of well-known web attacks.
- Vega
Vega can find cross site scripting and SQL injection vulnerability of web apps. Besides, if you site leaks sensitive information, Vega can detect that too. You can run it on Windows, Linux and OS X.
You can get the tool from https://subgraph.com/vega/
2.Wapiti
If you are planning to run a program for your apps, you can use Open source Wapiit. It has the following detection capabilities:
- Cross site scripting
- Sensitive files that can disclose information
- Weakness in htaccess file
- Various injection vulnerabilities.
- Presence of sensitive backup files.
http://wapiti.sourceforge.net/
3.skipfish
Skipfish is more like a reconnaissance tool because it can create an interactive sitemap of the target website using recursive web crawl. At the end of the scan skipfish generates a detailed report of existing vulnerabilities in your website. You can use it with Windows, Linux, FreeBSD and Mac OS X.
https://code.google.com/p/skipfish/
4.Netsparker Community edition
It is considered one of the most effective open source tools to detect SQL injection. If you are looking for an intuitive and user friendly SQL injection tool, then you must give it a try. Besides, it is false positive free.
https://www.netsparker.com/communityedition/
5. Websecurify a cross platform web application security testing tools that you can use one a monthly basis. If you want to use it free then try to use the trial version of the suite of this powerful web security toolkit.
https://suite.websecurify.com/classic
6.ESAPI (enterprise security API) is a web application security library of OWASP.it is not any web security testing tool, rather it helps programmer to develop low-risk application programs. New app developers or organization can use ESAP as a solid foundation for their app security. If you are developing new application, you can visit https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
7.BeEF or Browser Exploitation Framework helps to discover client side vulnerabilities. This tool detects the application weakness using browser vulnerabilities. Each browser is written with specific security content in mind, so each browser’s security context has both strength and weakness. BeEF allows the security tester to choose certain types to security context in order to each certain browser. To learn more about this browser based web app vulnerability analysis tool visit: http://beefproject.com/
8.Metasploit.
Mestasploit is considered one of the most robust and complete web security testing tool. You want to purse your career as a web security tester or something like that you can start using the open-source security testing tool by downloading it from http://www.metasploit.com/
Though the web security and threat pattern is changing fast, the core concept that attackers use to exploit almost remains the same. Therefore, if you are planning to run an application security program in your organization and not willing to hire an security expert, let your IT engineers play with the tools mentioned in this post and test that whether your applications are strong enough to sustain against the most common web attacks.
 Further reading: Open source penetration testing tools
