{"id":11115,"date":"2021-12-07T10:00:00","date_gmt":"2021-12-07T01:00:00","guid":{"rendered":"https:\/\/www.gigas-jp.com\/appnews\/?p=11115"},"modified":"2021-12-06T19:27:59","modified_gmt":"2021-12-06T10:27:59","slug":"some-web-security-tools-which-developers-should-use","status":"publish","type":"post","link":"https:\/\/www.gigas-jp.com\/appnews\/archives\/11115","title":{"rendered":"Some Web Security tools which developers should use"},"content":{"rendered":"\n<p>Today I would like to share about some web security tools that should be used by developers. When we develop a software, we must also consider the aspects of security. So, in some situations, not only have to write secure codes but reverse testing is also needed. Let&#8217;s take a look at some web security tools as follows.<\/p>\n\n\n\n<p><strong>1. Zed Attack Proxy (ZAP)<\/strong><\/p>\n\n\n\n<p>Developed by OWASP (Open Web Application Security Project), ZAP or Zed Attack Proxy is a multi-platform, open-source web application security testing tool. ZAP is used for finding a number of security vulnerabilities in a web app during the development as well as the testing phase.<\/p>\n\n\n\n<p><strong>2. Wapiti<\/strong><\/p>\n\n\n\n<p>Wapiti is a open source project. Wapiti performs black box testing to check web applications for security vulnerabilities. As it is a command-line application, it is important to have a knowledge of various commands used by Wapiti. You can find all the Wapiti instructions on the official documentation. For checking whether a script is vulnerable or not, Wapiti injects payloads. This tool provides support for both GET and POST HTTP attack methods.<\/p>\n\n\n\n<p>Vulnerabilities exposed by Wapiti are:<\/p>\n\n\n\n<ul><li>Command Execution detection<\/li><li>CRLF injection<\/li><li>Database injection<\/li><li>File disclosure<\/li><li>Shellshock or Bash bug<\/li><li>SSRF (Server Side Request Forgery)<\/li><li>Weak .htaccess configurations that can be bypassed<\/li><li>XSS injection<\/li><li>XXE injection<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>3. Sqlmap<\/strong><\/p>\n\n\n\n<p>SQLMap is entirely free to use that allow automating the process of detecting and utilizing SQL injection vulnerability in a website\u2019s database. This tool supports 6 types of SQL injection techniques:<\/p>\n\n\n\n<ul><li>Boolean-based blind<\/li><li>Error-based<\/li><li>Out-of-band<\/li><li>Stacked queries<\/li><li>Time-based blind<\/li><li>UNION query<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>4. Skipfish<\/strong><\/p>\n\n\n\n<p>Skipfish is a web application security tool that crawls your website and then checks each page for various security threats and provides a final security report. It is highly optimized for HTTP handling and utilizing minimum CPU.<\/p>\n\n\n\n<p><strong>5. Burp Suite<\/strong><\/p>\n\n\n\n<p>Burp Suite is a Java-based web penetration testing framework. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application\u2019s attack surface, through to finding and exploiting security vulnerabilities. The tool intercepts HTTP\/S requests and acts as a middle-man between the user and web pages. The paid version provides a more agile automated testing tool with integrations with other frameworks such as Jenkins.<\/p>\n\n\n\n<p><strong>6. Nikto<\/strong><\/p>\n\n\n\n<p>The Nikto web server scanner is a security tool that will test a website for thousands of possible security issues including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities.<\/p>\n\n\n\n<p>Hope you enjoy that.<\/p>\n\n\n\n<p>By Asahi<\/p>\n<div class='wp_social_bookmarking_light'>\n            <div class=\"wsbl_google_plus_one\"><g:plusone size=\"medium\" annotation=\"none\" href=\"https:\/\/www.gigas-jp.com\/appnews\/archives\/11115\" ><\/g:plusone><\/div>\n            <div class=\"wsbl_hatena_button\"><a href=\"\/\/b.hatena.ne.jp\/entry\/https:\/\/www.gigas-jp.com\/appnews\/archives\/11115\" class=\"hatena-bookmark-button\" data-hatena-bookmark-title=\"Some Web Security tools which developers should use\" data-hatena-bookmark-layout=\"standard\" title=\"\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u306f\u3066\u306a\u30d6\u30c3\u30af\u30de\u30fc\u30af\u306b\u8ffd\u52a0\"> <img src=\"\/\/b.hatena.ne.jp\/images\/entry-button\/button-only@2x.png\" alt=\"\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u306f\u3066\u306a\u30d6\u30c3\u30af\u30de\u30fc\u30af\u306b\u8ffd\u52a0\" width=\"20\" height=\"20\" style=\"border: none;\" \/><\/a><script type=\"text\/javascript\" src=\"\/\/b.hatena.ne.jp\/js\/bookmark_button.js\" charset=\"utf-8\" async=\"async\"><\/script><\/div>\n            <div class=\"wsbl_twitter\"><a href=\"https:\/\/twitter.com\/share\" class=\"twitter-share-button\" data-url=\"https:\/\/www.gigas-jp.com\/appnews\/archives\/11115\" data-text=\"Some Web Security tools which developers should use\" data-via=\"GIGASJAPAN_APPS\" data-lang=\"ja\">Tweet<\/a><\/div>\n            <div class=\"wsbl_facebook_like\"><div id=\"fb-root\"><\/div><fb:like href=\"https:\/\/www.gigas-jp.com\/appnews\/archives\/11115\" layout=\"button_count\" action=\"like\" width=\"100\" share=\"false\" show_faces=\"false\" ><\/fb:like><\/div>\n            <div class=\"wsbl_facebook_send\"><div id=\"fb-root\"><\/div><fb:send href=\"https:\/\/www.gigas-jp.com\/appnews\/archives\/11115\" colorscheme=\"light\" ><\/fb:send><\/div>\n    <\/div>\n<br class='wp_social_bookmarking_light_clear' \/>\n","protected":false},"excerpt":{"rendered":"<p>Today I would like to share about some web security tools that should be used by developers. When we develop a [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[100],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/posts\/11115"}],"collection":[{"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/comments?post=11115"}],"version-history":[{"count":2,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/posts\/11115\/revisions"}],"predecessor-version":[{"id":11119,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/posts\/11115\/revisions\/11119"}],"wp:attachment":[{"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/media?parent=11115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/categories?post=11115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gigas-jp.com\/appnews\/wp-json\/wp\/v2\/tags?post=11115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}