渗透测试工具 [英] Penetration testing tools
问题描述
我们有数百个用 asp、.net 和 java 开发的网站,我们正在支付大量资金请外部机构对我们的网站进行渗透测试,以检查安全漏洞.是否有任何(好的)软件(付费或免费)可以做到这一点?
We have hundreds of websites which were developed in asp, .net and java and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loopholes. Are there any (good) software (paid or free) to do this?
或者..是否有任何技术文章可以帮助我开发此工具?
or.. are there any technical articles which can help me develop this tool?
推荐答案
使用 Web 应用程序的自动化测试工具可以有几个不同的方向.
There are a couple different directions you can go with automated testing tools for web applications.
首先是商业网络扫描仪,其中 HP WebInspect 和 Rational AppScan 是最受欢迎的两种.这些是多合一"、即发即弃"的工具,您可以下载并安装在内部 Windows 桌面上,然后提供一个 URL 来抓取您的站点,扫描众所周知的漏洞(即已命中 Bugtraq),并探测跨站点脚本和 SQL 注入漏洞.
First, there are the commercial web scanners, of which HP WebInspect and Rational AppScan are the two most popular. These are "all-in-one", "fire-and-forget" tools that you download and install on an internal Windows desktop and then give a URL to spider your site, scan for well-known vulnerabilities (ie, the things that have hit Bugtraq), and probe for cross-site scripting and SQL injection vulnerabilities.
其次,有源代码扫描工具,其中 Coverity 和 Fortify 可能是最著名的两个.这些是您安装在开发人员桌面上的工具,用于处理您的 Java 或 C# 源代码并查找众所周知的不安全代码模式,例如糟糕的输入验证.
Second, there are the source-code scanning tools, of which Coverity and Fortify are probably the two best known. These are tools you install on a developer's desktop to process your Java or C# source code and look for well-known patterns of insecure code, like poor input validation.
最后是渗透测试工具.到目前为止,安全专业人员中最受欢迎的 Web 应用程序渗透测试工具是 Burp Suite,您可以在 http://www 找到它.portswigger.net/代理.其他包括 Spike Proxy 和 OWASP WebScarab.同样,您将在内部 Windows 桌面上安装它.它将作为 HTTP 代理运行,您将使用浏览器指向它.您将像普通用户一样使用您的应用程序,同时它会记录您的操作.然后,您可以返回到每个单独的页面或 HTTP 操作,并检查其是否存在安全问题.
Finally, there are the penetration test tools. By far the most popular web app penetration testing tool among security professionals is Burp Suite, which you can find at http://www.portswigger.net/proxy. Others include Spike Proxy and OWASP WebScarab. Again, you'll install this on an internal Windows desktop. It will run as an HTTP proxy, and you'll point your browser at it. You'll use your applications as a normal user would, while it records your actions. You can then go back to each individual page or HTTP action and probe it for security problems.
在复杂的环境中,特别是如果您正在考虑 DIY 任何事情,我强烈推荐渗透测试工具.原因如下:
In a complex environment, and especially if you're considering anything DIY, I strongly recommend the penetration testing tools. Here's why:
商业网络扫描仪提供了很多广度"以及出色的报告.但是:
Commercial web scanners provide a lot of "breadth", along with excellent reporting. However:
他们往往会遗漏一些东西,因为每个应用程序都是不同的.
They tend to miss things, because every application is different.
它们很昂贵(WebInspect 以千分之十开始).
They're expensive (WebInspect starts in the 10's of thousands).
您为不需要的东西付费(例如 90 年代已知的不良 CGI 数据库).
You're paying for stuff you don't need (like databases of known bad CGIs from the '90s).
它们很难定制.
它们会产生嘈杂的结果.
They can produce noisy results.
源代码扫描器比网络扫描器更彻底.但是:
Source code scanners are more thorough than web scanners. However:
它们甚至比网络扫描仪还要贵.
They're even more expensive than the web scanners.
它们需要源代码才能运行.
They require source code to operate.
为了有效,它们通常需要您对源代码进行注释(例如,挑选输入路径).
To be effective, they often require you to annotate your source code (for instance, to pick out input pathways).
他们有产生误报的倾向.
They have a tendency to produce false positives.
商业扫描器和源代码扫描器都有成为架子的坏习惯.更糟糕的是,即使它们有效,其成本也相当于让咨询公司审核 1 或 2 个完整的应用程序;如果您信任您的顾问,就可以保证您从他们那里获得比从工具更好的结果.
Both commercial scanners and source code scanners have a bad habit of becoming shelfware. Worse, even if they work, their cost is comparable to getting 1 or 2 entire applications audited by a consultancy; if you trust your consultants, you're guaranteed to get better results from them than from the tools.
渗透测试工具也有缺点:
Penetration testing tools have downsides too:
它们比一劳永逸的商业扫描仪更难使用.
They're much harder to use than fire-and-forget commercial scanners.
他们假定您在 Web 应用程序漏洞方面具有一定的专业知识 --- 您必须知道自己在寻找什么.
They assume some expertise in web application vulnerabilities --- you have to know what you're looking for.
他们很少或根本没有正式报告.
They produce little or no formal reporting.
另一方面:
它们要便宜得多 --- 最好的 Burp Suite,只需 99EU,并且有免费版本.
They're much, much cheaper --- the best of the lot, Burp Suite, costs only 99EU, and has a free version.
它们很容易定制并添加到测试工作流程中.
They're easy to customize and add to a testing workflow.
它们在帮助您从内部了解"您的应用程序方面做得更好.
They're much better at helping you "get to know" your applications from the inside.
您可以使用针对基本 Web 应用程序的渗透测试工具执行以下操作:
Here's something you'd do with a pen-test tool for a basic web application:
通过代理登录应用程序
Log into the application through the proxy
创建应用程序主要功能区域的命中列表",并分别练习一次.
Create a "hit list" of the major functional areas of the application, and exercise each once.
使用渗透测试应用程序中的spider"工具查找应用程序中的所有页面、操作和处理程序.
Use the "spider" tool in your pen-test application to find all the pages and actions and handlers in the application.
对于蜘蛛发现的每个动态页面和每个 HTML 表单,使用模糊器"工具(Burp 称其为入侵者")用无效输入来测试每个参数.大多数模糊器都带有基本的测试字符串,包括:
For each dynamic page and each HTML form the spider uncovers, use the "fuzzer" tool (Burp calls it an "intruder") to exercise every parameter with invalid inputs. Most fuzzers come with basic test strings that include:
SQL 元字符
SQL metacharacters
HTML/Javascript 转义和元字符
HTML/Javascript escapes and metacharacters
这些的国际化变体以逃避输入过滤器
Internationalized variants of these to evade input filters
众所周知的默认表单字段名称和值
Well-known default form field names and values
众所周知的目录名、文件名和处理程序动词
Well-known directory names, file names, and handler verbs
花几个小时过滤由此产生的错误(一个表单的典型模糊测试可能会生成 1000 个)以寻找可疑的响应.
Spend several hours filtering the resulting errors (a typical fuzz run for one form might generate 1000 of them) looking for suspicious responses.
这是一种劳动密集型的裸机"方法.但是,当您的公司拥有实际应用程序时,裸机方法是值得的,因为您可以使用它来构建回归测试套件,这些套件将在每个应用程序的每个开发周期内像时钟一样运行.这是一场胜利,原因有很多:
This is a labor-intensive, "bare-metal" approach. But when your company owns the actual applications, the bare-metal approach pays off, because you can use it to build regression test suites that will run like clockwork at each dev cycle for each app. This is a win for a bunch of reasons:
您的安全测试将为每个应用程序花费可预测的时间和资源,这使您可以进行预算和分类.
Your security testing will take a predictable amount of time and resources per application, which allows you to budget and triage.
您的团队将获得最准确和全面的结果,因为您的测试将针对您的应用进行调整.
Your team will get maximally accurate and thorough results, since your testing is going to be tuned to your applications.
它的成本将低于商业扫描仪和顾问.
It's going to cost less than commercial scanners and less than consultants.
当然,如果你走这条路,你基本上就是把自己变成了公司的安全顾问.我不认为这是一件坏事.如果您不想要这些专业知识,WebInspect 或 Fortify 无论如何都不会帮助您.
Of course, if you go this route, you're basically turning yourself into a security consultant for your company. I don't think that's a bad thing; if you don't want that expertise, WebInspect or Fortify isn't going to help you much anyways.
这篇关于渗透测试工具的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
