Penetration testing, sometimes known as vulnerability assessment, is the processes of identifying the security pitfalls in software, web applications, networks, and other communication systems. Overlooked security issues can cost thousands of dollars or completely crash the network. Penetration testing should be performed regularly to ensure the highest level of security of valuable information, money and customer data.
System security professionals use several enterprise and open source penetration frameworks. Here is a brief summary of the most popular open source web application penetration testing frameworks that help save money in the QA department and also help ensure security.
Metasploit is a popular framework available in three editions: professional, express and community. The community edition is free and open source with a set of robust penetration testing features such as web and command line interface, threat validation, network discovery, password auditing, social engineering and much more. Metasploit is available for Windows and Linux Platforms but keep in mind that it is resource intensive. The program is extensible using several plug-ins.
w3af (Web Application audit and attack framework) is a popular and very powerful vulnerability assessment framework that can exploit more than 200 vulnerabilities. A newcomer in the penetration testing arena, it is one of Metasploit’s top competitors. It can detect PHP misconfigurations, XSS (cross site scripting), SQL injection, unhandled application exceptions and many other security issues. The program is also extensible using several plug-ins.
VEGA is an amazing penetration testing framework yet is not as popular among QA professionals. This could be a result of its relatively low user base and support materials. VEGA is cross-platform (platform independent) and written in Java. Currently it is available for all major operating systems, Windows, MAC OS X, and Linux. VEGA currently offers the following: XSS (Cross site scripting), SQL injection, directory traversal, URL injection, error detection, file upload errors and sensitive data recovery.
Websecurify is a veteran penetration tester that runs on Windows, MAC OS X and Linux and also runs on iOS and Android. It is simple to use and comes with good testing and scanning ability. There are a numbers plug-ins available for download.
Arachni is the newest entry to the penetration testing market. Although only available on the Linux Platform, major updates are in the works. Arachni was developed with RubyMine and comes with an amazing web interface and distributed performance feature.