This tutorial is written using the knowledge I gathered at a hackathon we did at 99X Technology.
Tools :
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Download and install Zed Proxy server and start the app.
Now to start with lets do a quick attack to our test site. insert your test site url to the field of "Url to Attack" and click on "Attack". For this test I will use a web application I developed. It is hosted in a IIS server hosted in the local machine it self. :)
"http://localhost:6406" is my Url to attack.
You will see a output like this. Attack results can be viewed in the "Attack" tab. After going through the analysis report, you can take necessary actions to protect your web applications from attackers.
If you want to test your web application against a specific type of attack you can right click the site which is listed in the sites tree view, right click on the site you want to test and then under attack you have several types of attack to test your application.
Updated Note:
To integrate Zed with your TFS build server, please refer following tutorial. Since it is almost a complete and very much descriptive tutorial I will not explain it here again. Credits should go to it's rightful author.
http://www.codeproject.com/Articles/708129/Automated-penetration-testing-in-the-Microsoft-sta
----------------
Another tool to test SQL Injections and XSS attacks is W3AF. A tutorial video on how to use the tool is given below. Video
Some other tools you can test your application are given below.
Wapiti : http://wapiti.sourceforge.net/
Wikito : http://research.sensepost.com/tools/web/wikto
Websecurify (Only few tools are available free. others are commercial plans) :
https://suite.websecurify.com
For a complete list of testing apps, click here
Posts
0 comments:
Post a Comment