Website security is a major concern of developers and businesses today, because of growing attack vectors and easiness of exploitation, businesses spend thousands of dollars to find and patch vulnerabilities in their website. Websecurify can help you find OWASP top 10 vulnerabilities before hackers (read as crackers) do. Websecurify is a free and open source web application scanner from the good folks of GNUcitizen.org. Its very easy to use and its simple interface makes it stand out of the crowd.
GNUCITIZEN defines it as
―Websecurify is a powerful web application security testing environment
designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.‖ For a free tool it has a good number of features like:
- Multi platform, works on Linux, Mac, windows and even on your mobile devices.
- Extendible via scripts and extensions and you don‘t need to be a pro to extend it, just learning how to create extensions in Mozilla is more than enough.
- Modular in design
- Powerful Fuzzer and crawler
- Nice reporting capabilities (right now it‘s limited to limited to CSV, HTML and XML only).
- API which supports numerous commercial and free testing engines.
- Can be integrated with web applications
- Has support for upstream proxy support
- Supports client SSL
How to install Websecurify?
Installing Websecurify is as easy as a pie. On Windows:
Download exe from http://www.websecurify.com/ windows and install it. On Matriux: Just find it in the arsenal Arsenal > Framework > Websecurify. On Firefox and Chrome: Download and Install the websecurify add-on from tools –> add-ons. Similarly download and install websecurify extension from web store.
How to use Websecurify?
One of the good things about websecurify is its ease of use, you can start a scan by just giving URL of your site and login credentials (if you want) and clicking the start button, that‘s it :).
You can set your preferences like proxy and SSL certificate in Tools –> Preferences menu
- 1. Enter URL which you want to scan and press Enter
- 2. A warning message will be displayed to make sure that you know what you are doing, click continue if you have permission to scan the target.Figure 3
- If application needs login credentials, a popup will try to capture those credentials. However this step is optional if you don‘t want to scan deeply. You will see the status of your scan in the next screen.
4. Once the scan is complete you will see a nice report.
If you want to compare the working of Websecurify with other tools, the following sites can be used. Scan any one (or all of them) with Websecurify and your tool of choice, and compare the results.
That‘s it for this edition 🙂
Oh wait!! We have another news, Matriux Krypton R2 is set to release on Oct 7th 2011 at c0c0n (http://informationsecurityday.com/c0c0n) so be there to first grab it. Happy hacking :<)
Twitter : @matriuxtig3r