Testing Web Applications: Since web applications are complex, the use of specialized software to analyze or test an application may be necessary. Some of these software packages are included here.
Burp Suite is a Java-based application used to test and attack web application. Upon closer inspection the software is actually a collection of tools used to check various parts and features of an application.
Burp Suite offers a robust combination of tools that can be used both manually and automatically to check the application.
The tools can enumerate, analyze, scan, attack, and exploit holes in the web application.
Burp Suite includes tools that can perform all of the following:
Proxy: The proxy function allows the user traffic between the browser and the web application by configuring the web browser to use Burp Suite as a proxy. When in use, the software allows the interception, viewing, and alteration of traffic between the browser and server.
Spider: This tool can map out a web a application, generating in inventory of the application’s structure.
Scanner: When put to see, the scanner can discover vulnerabilities in a web application. In many cases it is not as robust as a dedicated vulnerability scanner, but it is still effective.
Intruder: This is an automated and fully customization attack tool for web application.
Repeater: This is a tool for manually modifying and reissuing individual HTTP requests and analyzing the response to each.
Sequencer: This specific feature is very useful for testing web application for their susceptibility to session hijacking by inspecting tokens for randomness.
Vega Web Application Scanner: Included in Kali Linux 2.0 is a scanner designed to evaluate a web application. Vega is capable of detecting SQL injection issues, XSS, disclosure of sensitive information, and more.
While it is present and installed on Kali Linux, it is available on Windows and OS X as well because it is Java based.