Cybercrime, specifically attacks on companies, has been a growing threat for years. By far the largest number of attacks on IT systems now target web applications and web servers. Logically, because data and applications are increasingly stored cloud-based. Even though there is no hundred percent security and probably never will be, companies can take measures to get as close as possible to "non-hackable" status. An essential first step is to determine the existing security level of your own web applications. But what options are there for performing security analyses of web applications?
Zed Attack Proxy (ZAP)
The Open Web Application Security Project (OWASP) is a non-profit organization that aims to improve the security of applications and services on the Internet and protect against cybercrime. To this end, they have developed, among other things, the open source tool "Zed Attack Proxy" (ZAP). It allows you to automatically check web apps for security vulnerabilities and carry out attacks. The tool has an extremely simple structure and is deliberately kept beginner-friendly. ZAP offers automated scanners as well as a number of tools that developers and functional testers can use to manually find security vulnerabilities, for example in the context of Red Teaming (please link to corresponding article).
Another option to protect one's web applications is Burp Proxy, an intercepting proxy server specialized in web application security analysis. It allows intercepting and modifying all HTTP(S) traffic in both directions and can work with custom SSL certificates and non-proxy clients. The tool can be installed on Windows computers and easily set up. In addition, the software can also be used on macOS and Linux. In addition to the paid full version, Burp Suite is also available as a limited free version.
w3af is an open source web application used for security scanning. The application provides vulnerability scanners and exploit tools to protect web applications. This project plays an important role in penetration testing by providing information about security vulnerabilities. w3af can also be installed in macOS.
Chrome specific Security Tools
More than half of Internet users use Google Chrome as their browser (source: Statista). To meet the increasing need for security, Microsoft offers a whole range of Chrome-specific tools to keep web applications secure. These include Request Maker, for example, a tool that lets you easily capture requests made by web pages, manipulate the URL, headers and POST data, and make new requests. Session Manager allows you to save your current browser state and reload it when needed. You can manage multiple sessions, rename them or remove them from the session library. Each session remembers the state of the browser at the time of its creation, i.e. the tabs and windows open. The Web Developer extension adds a toolbar button to the browser with various web developer tools. The tool allows you to analyze or even edit the web page code in detail and view the HTML and CSS code of a page. The extension can even spot and output errors in both areas.
Tools for Firefox
Even before Google launched a Web Developer plugin, there was one for Firefox. Furthermore, this browser also has its own tools to protect web applications. If you want to evaluate the HTTP requests of your homepage step by step, you can use Live HTTP Headers as a tool. The information obtained is helpful for troubleshooting, analyzing and optimizing your own website. The Firefox extension Tamper Data 10.1.1 logs every HTTP request and all responses of the web server for free. By analyzing the data stream between your PC and all contacted websites, you can easily detect and subsequently fix security leaks.
Protecting web applications is essential today. To help you do this, there are a variety of (free) tools to ensure the security of your own applications. These are usually easy to install and use to identify security risks or data leaks. However, this is only half the battle. Because in order to protect your own applications in the best possible way, these identified vulnerabilities must also be remedied.