You probably need a website vulnerability scanner, right now.
It is said over and over that your websites are in constant danger. Malwares, exploits, data breaches, they are real threats to your websites that keep getting more intelligent and dangerous every day.
There is one common thing behind all those risks – they are all carried out by cybercriminals. These people have many reasons for their acts: profits, amusement, political advantages, … But one single factor determines their ability to carry out malicious behaviors or not: whether your website is secured and vulnerability-free or not.
There have been a great number of new vulnerabilities being disclosed to the Internet community right now, many of which haven’t even been fixed. In fact, the CMS giant WordPress has a very worrying unfixed vulnerability that can make you lose data and even administrative rights of your website. Vulnerabilities also let attackers inject malicious codes and steal your sensitive information.
How can you prevent such disasters from occurring? By knowing what vulnerabilities your website has, of course.
A security evaluation can be carried out by an expert with great results, but can be inconvenient and costly. You also face the question of whether to trust someone with your website data and administrator credentials. That is where a website vulnerability scanner comes in handy.
This type of security service function through the web front-end to reveal potential security vulnerabilities and weaknesses. With little setting up, you can quickly know what threats you are facing while your source code is kept private.
Options for website vulnerability scanning are varied, but we have compiled a list for your convenience:
1. Burp Suite:
This toolkit comes free with limited features and also in the form of a commercial version with all features. The platform offers many tools to test the security of websites and they all work together to make sure your website is well-tested: mapping, finding and exploiting security vulnerabilities are all looked at.
- A proxy for inspecting and filtering traffic between your browser and the application
- A spider for crawling content and functionality
- An intruder tool for simulating attacks to identify vulnerabilities
- A web application scanner for detecting vulnerabilities
- A repeater for resending individual requests
- A sequencer for testing randomness of sessions tokens
- Saving function to continue working later
- Support for plugins to perform customized tasks
This website vulnerability scanner can both find and exploit vulnerabilities. It only reports confirmed vulnerabilities after exploiting or testing them. Threats such as SQL injections and Cross-site Scripting are identified and reported back to the website owner.
The community edition is free for the Windows platform. For a beginner, this is a great starting point for website security.
Arachni is a very sophisticated framework with support for features and modules of all kinds. This app can intelligently learn from the web application’s actions and its meta-analysis is actually capable of assessing the trustworthiness of results.
- Support for cookie-jar/cookie string
- User Agent Spoofing
- Custom header support
- SSL support
- Proxy support and authentication
- Custom 404-page detection
- UI comes in the form of a command-line interface and a web user interface
- Support for hibernation and suspending
- Automatic logout detection and relogin during the scan
4. CyStack Scanning: Website vulnerability scanner
CyStack Platform comes with many functions for monitoring, vulnerability scanning, malware detecting and protecting your website. For vulnerability detection alone, this service can identify OWASP TOP 10 vulnerabilities and more – with its crowdsourced support and daily update of 1-day vulnerabilities, database is constantly up-to-date with all newest threats. Many CMS are supported including Drupal, WordPress, Joomla, …
- Check for injection flaws including SQL, NoSQL, OS and LDAP injection
- Broken authentication warning
- Sensitive data exposure identifying
- XML external entities vulnerability testing
- Broken Access control warning
- Security misconfiguration issues identifying
- Cross-site scripting flaws warning
- Insecure deserialization checking
- Identifying components with known vulnerabilities and logging/monitoring inefficiency=
Vega is a Java-based website vulnerability scanner with support for Windows, Linux and OS X. This free and open sourced tool allows you to find and validate SQL Injection, cross-site scripting and disclosed sensitive information.
- Automated crawler and vulnerability scanner
- Website crawler
- UI consistency
- Intercepting proxy
- SSL MITM
- Database and shared data model
- Content analysis
The above website vulnerability scanners are suitable for different needs of website owners and some are more well-rounded than others. The only way to know your best option is to check them out for yourself and start protecting your website early before, who knows when, your website falls into the hands of cybercriminals.