As the number of web applications grows and the digital world becomes more advanced, so also have hacking activities become more sophisticated. To keep up with all those hacking activities, many new security tools have been developed to help organizations detect vulnerabilities before hackers do. Often, those tools are fairly expensive. This discourages many organizations who are on a tighter budget from investing in security tools.
Luckily, the open-source (OS) community can help us. This article explores seven useful open-source security tools you should know about. These tools can act as great complements to your larger monitoring and real-time protection solutions.
1. Nmap – network security scanner
Nmap is an open-source tool for discovering network security issues. It’s a great tool for auditing the networking part of your server. The tool helps you with identifying which hosts are available and what services they’re running.
Nmap is mostly used for its core functionality, which is known as port scanning. The tool sends raw packages to system ports and listens for the responses. This way, Nmap can figure out which ports are open, closed, or filtered by a firewall.
2. Grabber – backup file detection
Grabber was designed as a lightweight web application scanner suited for smaller applications such as a personal website, forum, or web application. This scanner is not the fastest; however, it’s quite adaptable through a bunch of options. For example, if you want to check for XSS attacks only, you can use the –xss flag.
Some of its important features include the following:
- XSS attack (cross-site scripting)
- SQL injection
- File inclusion attack
- Backup file detection
You might wonder why backup file detection is important. Let me further explain this feature. No doubt, it’s a best practice to regularly create backups of your production data and application. However, it commonly happens that someone unknowingly stores those backups on the same server in a publicly available directory. In other cases, access rights for this folder have been misconfigured or just completely forgotten about.
In short, handle backups with great care as they might reveal your production data or source code. You don’t want to reveal your source code to hackers as that allows them to gain a deep understanding of your application and easily find exploits.
3. OWASP Zed Attack Proxy (ZAP)
ZAP was created by the OWASP Foundation. The tool is actively maintained and is one of the most popular open-source security tools. The tool gained popularity by providing various APIs for security automation and integration into your continuous integration (CI) pipeline.
Additionally, a whole marketplace of add-ons exists where the ZAP community can share new security plugins. This means ZAP is pretty flexible and allows any developer to make changes to the tool.
Moreover, ZAP brands itself as a “man-in-the-middle proxy” that sits between the tester’s browser and the web application. ZAP will intercept messages and modify them when needed to check the security of your web application. Want to get started with ZAP? Check out this introduction article.
SonarQube is an amazing tool for developers to check their code for bugs and code smells. Their product’s main focus is performing static code analysis while supporting 27 programming languages. SonarQube works by following every possible code path in your application to detect bugs. It’s not possible for the human mind to manually check all of those code paths.
Also, SonarQube integrates nicely with the DevOps movement as it supports agile software development. SonarQube can be integrated with your CI pipeline, providing developers with quick security feedback about their code. Instead of running security checks after only a couple of months, SonarQube allows your team to run security checks for every commit or pull request (PR).
In short, SonarQube brings “continuous code inspection” for almost any type of project.
5. SQLMap – automated SQL injection
SQLMap is an open-source SQL injection automation tool that can be found on GitHub. It helps developers automate the process of exploiting SQL injection flaws. This tool comes with many niche features to take over your SQL database. The tool itself supports many database types such as MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, MariaDB, MemSQL, and many more that can be found on SQLMap’s website.
SQLMap supports the following six types of SQL injection attacks:
- Boolean-based blind
- Time-based blind
- Error-based injection
- UNION query-based
- Stacked queries
- Out-of-band SQL injection
Next, let’s quickly learn about time-based blind SQL injections attacks. It’s a very basic type of test to extract information from a database when no other information is available. Here’s a definition from sqlinjection.net:
“Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment that contains specific DBMS function or heavy query that generates a time delay. Depending on the time it takes to get the server response, it is possible to deduct some information.”
In other words, a time-based attack helps with detecting the type of database. For example, only MySQL understands the sleep(time) command. When a database takes the specified amount of time to send a response, you can be pretty sure you’re dealing with a MySQL database management system (DBMS).
Want to learn more about time-based attack vulnerabilities in web applications? Read about them in this best practices blog.
6. w3af – web application attack and audit framework
Next, w3af is one of the most popular and also all-around web application security testing frameworks currently available. One of its key features is the graphical user interface (GUI) it offers to make security testing a bit more tangible than your regular command-line interface (CLI).
Moreover, the w3af scanner can detect more than 200 types of vulnerabilities. Here’s a small selection of its features:
- Buffer overflow vulnerability
- Insecure Access-Control-Allow-Origin header
- Insecure redirection
- Memcached injection vulnerability
- Insecure SSL version
- Cookie without HttpOnly
7. Wapiti – web application vulnerability scanner
Wapiti is a web application vulnerability scanner. SourceForge and DevLoop developed this tool. It works as a black-box vulnerability scanner. This means the tool doesn’t require learning about the source code to be able to scan for vulnerabilities. Black-box vulnerability scanning is more realistic as potential attackers shouldn’t have access to the source code of your application.
Furthermore, the tool is able to perform the following type of attacks:
- Shellshock (also known as Bashdoor)
- Server-side request forgery (SSRF)
- CRLF injection
- Bypass weak .htaccess configurations
- And many more attacks that you can find on GitHub
8. Semgrep – Lightweight static analysis for many languages
Semgrep is a static analysis tool for finding and blocking bug variants with rules that look like source code. It supports a range of languages and helps teams add lightweight static analysis to their pull requests and deployment process. The benefit of going with Semgrep is the aim to combine the speed and customization of
grep with the precision of traditional static analysis tools.
Users of Semgrep have said things like “I’m getting all of our CI pipelines to run some kind of security scan. Semgrep picks the right rules for me and runs them quickly in the right place. And I can still write custom rules to catch specific issues unique to our code.”
In short, Semgrep has a solid community, and is built to make static code analysis an easy addition to your projects across a wide range of languages.
Bonus: Nikto – web server scanner
Lastly, Nikto is an actively maintained open–source web server scanner. At its core, Nikto helps developers with finding misconfigured web servers and plugins. However, the tool also works for scanning web vulnerabilities.
Nikto can detect the type of web server based on the responses it receives. Initially, Nikto sends 2,000 HTTP GET requests to your server to get a better understanding of your web server. This is also an ideal opportunity to check if your intrusion detection system has been configured correctly.
In short, it’s a great tool for developers or administrators to regularly check the security of your server.
To summarize, if you want to establish a robust security suite, consider using some of the above open-source security tools as part of your application security approach, alongside solutions that can protect your application in production like Sqreen. Sqreen offers a unified AppSec platform that focuses on three aspects: observation, protection, and security testing. To give an example, you can use Sqreen in combination with Nmap, which helps you to scan for open or misconfigured ports on your server. When adding Sqreen, it can also help you with reducing the risk of data breaches by covering your app against the OWASP Top 10 vulnerabilities, such as SQL injections, XSS, SSRF, and more.
This post was written by Michiel Mulders. Michiel is a passionate blockchain developer who loves writing technical content. Besides that, he loves learning about marketing, UX psychology, and entrepreneurship. When he’s not writing, he’s probably enjoying a Belgian beer!