Top 7 Tools to Find Vulnerabilities in Software Logic

Various web application scanners are a very popular part of software which is used by many programmers. On the Internet, you can find a lot of charged scanners as well as free applications.

Without a doubt, every product has its own advantages and disadvantages, along with personalized functionality to find the critical vulnerabilities in the software logic.

Further, we will analyze 7 most widespread tools which can find weak spots in any software functionality quickly and qualitatively.

It should be noted that objects under tests were independent platforms which are used by many QA companies almost every day:

1. Premium.pgabank.com
2. Php.testparker.com

#1 OWASP ZAP

As the name suggests, it is safe to say that the developers of this program are people from the OWASP company.

OWASP ZAP

OWASP product is a completely free tool to perform penetration testing and to find vulnerabilities inside the structure of tested software.

Basic program features are:

• Main-in-the-middle Proxy;
• Traditional and AJAX spiders;
• Automated scanner;
• Passive scanner;
• Forced scanner;
• Fuzzer.

The graphical interface of this product also has a Russian-language version. It means that it will be easy for citizens of the former CIS to use this product. The whole OWASP ZAP consists of a few windows.

In the bottom part, you can see a tab with the current processes and time of their processing. Then on the left side, there is a sitemap. Moreover, you can place a dialog box on the right side.

OWASP ZAP structure

The available marketplace allows extending the functionality of the product. By the way, every component has many parameters and configurations that can be edited.

For example, users can easily set the incoming vectors for active scanning, generate the dynamic SSI certificates, add the identifier of HTTP sessions, etc.

Test on php.testparker.com found only blind SQL injections.

On premium.bgabank.com we could find the parameters of Server Side Include and Reflected Cross-Site Scripting.

Also, it has a great capability to quickly export all the results of the scan (you can choose any of the available formats – from pdf to .json). If you take a look at the generated report, you can find the information about product vulnerabilities, founded vectors and ways to delete these vulnerabilities.

So, this program is very easy-to-use. The product has all the necessary tools for penetration testing. Moreover, you can start the scanning in one click only.

Overall, OWASP ZAP is a great option to perform testing of different software.

#2 W9scan

W9scan is another free console scanner that has more than 1200 plug-ins to analyze the web pages’ fingerprints under the test, ports, web page structure. Also, it helps to scan SQL injections and Cross-Site Scripting (XSS).

This product can automatically generate detailed reports with scan results in the HTML format. Firstly, to start the process, you just need to enter the site URL that has to be analyzed.

W9scan

During the testing on php.testparker.com, this program could find svn and many potential ways to upload the payload. Additionally, it could identify the version correctness of services, correct vectors of XXE and XXS execution.

We did not find any critical defects on premium.bgabank.com. but the scan could predict the potential versions of services and directions (+ sub-domains).

To conclude, this scanner can be used as a tool for quick start on a subsidiary base in order to solve issues with versions and potential attack vectors.

#3 Wapiti

This is one more good product which is considered a classic console scanner. Like the W9scan, it is running with one command, despite the fact that it has a lot of configurations for a detailed scanner.

Wapiti

It helps to find the following vulnerabilities:

• File disclosure;
• Database injection;
• XSS injection;
• Command execution detection;
• CRFL injection;
• XXE;
• SSRF;
• Use to know potentially dangerous files;
• Presence of backup files giving sensitive information;
• Shellshock.

Also, this scan supports proxy, different verification methods (NTLM, Kerberos, Basic), and SSL certificates.

After testing on the php.testparker.com, we found such vulnerabilities as blind SQL injections, cross-site scripting and commands execution.

On premium.bgabank.com there was cross-site scripting only.

After the scanning is finally completed, you can get an HTML report with all detected vulnerabilities, requests, and the list of commands for curl.

Therefore, this program is not so good as OWASP ZAP, but it works much better than W9scan.

#4 Arachni

This is a qualitative software for various security tests and detecting the vulnerabilities. It has a simple and easy-to-use graphical interface and big functionality which is described in detail on the official developers’ portal.

Arachni

Program capabilities while active testing:

• SQL injection;
• Blind SQL injection;
• Blind SQL injection using timing attacks;
• NoSQL injection – error based vulnerability detection;
• Blind SQL injection using differential analysis.

During passive testing, you can manage:

• Allowed HTTP methods;
• Backup files;
• Common administration interfaces;
• Backup directions;
• Common directories;
• Common files.

After thorough studying of this functionality, you may find a lot of useful plug-ins – from Passive proxy to Cookie collector.

After testing on php.testparker.com, this scanner could find cross-site scripting, code injection, operating system command injection, and blind SQL injection.

The most critical thing found on premium.bgabank.com is the capacity of XSRF (cross-site request forgery).

A lot of formats are supported for report export:

1. PDF
2. Text
3. JSON
4. YAML
5. AFR
6. XML
7. HTML
8. Marshal

#5 Paros

This is another interesting scanner with a simple graphical interface. By the way, natively it goes in the Kali Linux distribution and is installed there on-device.

Additionally, the scanner has built-in proxy which helps to add sites for analysis, and predefined web spider which has functions of site analysis and aspect card making.

Paros

Scanner’s main features are:

• A1 – injection – SQL injection, SQL injection fingerprint;
• A6 – security misconfiguration – directory browsing, ISS default file, tomcat source file disclosure, IBM web sphere default files;
• A7 – XSS.

Additional capabilities are:

• Searching the automatic fill for passwords fields;
• CRLF injection;
• Secure page browser cache;
• Scanning of the host protected area;
• Scanning of the web products inside the local network.

In the final report, each kind of vulnerabilities undoubtedly has some information and recommendation about their fixing.

Test on php.testsparker.com helped to find XSS, SQL injection, disclosure of internal IP, old files with initial program code and directory browsing.

On premium.bgabank.com we could find automatic fill in the forms with very important information.

Despite the fact that the product doesn’t have a difficult functionality, it is quite an easy-in-use scanner. But this gives really weak scan results. Of course, it is not recommended to use this program on a regular basis.

#6 Tenable.io

Here we have a paid product. Tenable.io is a cloud scanner that can easily find a lot of vulnerabilities and cover OWASP TOP 10 2017.

tenable.io

The product has a built-in web spider. If you want, you can save the authorization data in the scan configuration and the scanner can test personal account for potential danger.

Also, the program can scan the network searching for popular vulnerabilities and hosts. Moreover, there are parameters of connecting the agents to the scan process inside the local network.

Finally, you can get reports with results in the pdf, CSV, DB, and Nessus formats.

Scanning on the php.testsparker.com allowed finding the following problems:

• Dangerous vulnerabilities of the components;
• Code injection;
• XSS;
• LFI;
• SQL injection;
• Path traversal.

On premium.bgabank.com we found:

• Apache vulnerabilities;
• Bootstrap vulnerabilities;
• JQuery.

To sum up, this is a great program that can find a lot of vulnerabilities. It is really easy-in-use due to the simple and intuitive graphical interface. Obviously, cloud service architecture is an important product feature.

#7 Acunetix

This is another commercial scanner with modern functionality. It helps to find the most popular vulnerabilities: all kinds of SQL injection, cross-site scripting, CRFL injection. By the way, you need to choose the correct settings profile for the qualitative scanning process.

Detected vulnerabilities are divided into categories: high, medium, low. In the Information section, you can certainly analyze data about completed scanning.

Acunetix

Results from php.testsparker.com were not bad as opposed to the ones, got from premium.bgabank.com.

So, this product has a lot of capacities and is perfect on the project where one needs an independent solution. The graphical interface is easy-in-use; all reports are displayed in the form of graphics.

Conclusion

At the end of the article, we can summarize as follows:

• OWASP ZAP is a great product, recommended for constant use;
• W9scan is better to use as additional software for correct identification of versions and services;
• Wapiti is a suitable program but it is not so good as OWASP ZAP;
• Arachni is obligatory at any project;
• Paros is a weak product;
• Tenable.io is a productive program, finds a lot of vulnerabilities, but one must remember that it is a cloud product;
• Acunetix is a good scanner in the form of an independent application.