Important Tools for Web Application Security Analysis

Cybercrime — specifically attacks on businesses — has been a growing threat for years. By far the largest share of attacks on IT systems now targets web applications and web servers. This is unsurprising, as data and applications are increasingly stored in the cloud. While there is no such thing as absolute security and there probably never will be, companies can take measures to get as close as possible to being "unhackable." An essential first step is to assess the current security level of your own web applications. But what options are available for conducting web application security analyses?

Zed Attack Proxy (ZAP)

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving the security of applications and services on the internet and protecting against cybercrime. Among other initiatives, OWASP has developed the open-source tool "Zed Attack Proxy" (ZAP). It allows you to automatically scan web apps for security vulnerabilities and simulate attacks. The tool features a straightforward design and is deliberately beginner-friendly. ZAP offers both automated scanners and a range of tools that developers and functional testers can use to manually uncover security weaknesses — for example, during Red Teaming exercises.

Burp Proxy

Another option for protecting your web applications is Burp Proxy, an intercepting proxy server specialized in web application security analysis. It enables you to intercept and modify all HTTP(S) traffic in both directions and works with custom SSL certificates as well as non-proxy clients. The tool can be installed on Windows and is easy to set up, but it also runs on macOS and Linux. In addition to the paid full version, Burp Suite is available as a limited free edition.

w3af

w3af is an open-source web application designed for security scanning. It provides vulnerability scanners and exploit tools to help protect web applications. The project plays an important role in penetration testing by delivering detailed information about security weaknesses. w3af can also be installed on macOS.

Chrome-Specific Security Tools

More than half of all internet users rely on Google Chrome as their browser (source: Statista). To address the growing need for security, Google offers a broad range of Chrome-specific tools for keeping web applications secure. These include Request Maker, for example — a tool that lets you capture requests made by web pages, manipulate the URL, headers, and POST data, and issue new requests.

Session Manager allows you to save your current browser state and restore it when needed. You can manage multiple sessions, rename them, or remove them from the session library. Each session remembers the browser state at the time of its creation, including all open tabs and windows.

The Web Developer extension adds a toolbar button to the browser with various web developer tools. It lets you analyze or even edit web page code in detail and view the HTML and CSS of a page. The extension can even detect and report errors in both areas.

Tools for Firefox

Even before Google released a Web Developer plugin, one already existed for Firefox. Beyond that, this browser also offers its own tools for protecting web applications. If you want to evaluate your website's HTTP requests step by step, you can use Live HTTP Headers. The information it provides is valuable for troubleshooting, analysis, and optimization.

The Firefox extension Tamper Data 10.1.1 logs every HTTP request and all web server responses free of charge. By analyzing the data stream between your PC and all contacted websites, you can reliably detect security leaks and then fix them.

Conclusion

Protecting web applications is essential today. To support you in this effort, a wide variety of (free) tools are available for verifying the security of your applications. These are generally easy to install and use, helping you identify security risks and data leaks. However, this is only half the battle — to protect your applications as effectively as possible, the identified vulnerabilities must also be remediated.