Cyberattacks are a daily occurrence and the concomitant costs for organizations are escalating. However, you can mitigate cyber disaster with free website security tools that will help you to identify website vulnerabilities and keep your visitors safe, or rather … safer.
One would think large enterprises have the means and opportunity to monitor their applications for website vulnerabilities. But, apparently not. Just a few examples:
- The ego-deflating 2013 Yahoo breach occurred as a result of a cookie-forging attack that allowed hackers to authenticate as any other user without their password. Analysts argue that Yahoo could have prevented the damage had it taken faster actions against the intruders.
- The headline grabbing Panama Papers attack was a result of at least two failures to keep software updated:
- An out-of-date version for their image slider plugin on WordPress
- A three-year-old version of Drupal which contained several known vulnerabilities
- It took a 17-year-old programmer to point out a Cross-Site Request Forgery on Flickr. Once notified, it took Flikr just 12 hours to fix the flaw.
See also: The largest data breaches in history
While no security system–even your home security–is foolproof, regular website scans can go a long way towards safeguarding against opportunistic attacks on your virtual assets. Take American Fuzzy Lop (AFL), an open-source fuzzer developed by Michał Zalewski of Google. It has helped to find vulnerabilities in various popular web applications, including Firefox, Flash, LibreOffice, Internet Explorer, and Apple Safari.
Tips for using free website security tools
Many of the free website security tools reviewed here have similar features and functionality. Often it is a case of comparing apples to pears. No offense to top security vendor Sucuri, but even they have difficulty distinguishing their product from others:
“A few other security plugins provide activity monitoring features, but few do them well […] We’ve narrowed the key features we felt were most pertinent to any website owner.”
For this reason, we have categorized these tools and noted the key benefits and disadvantages of each. Some categories do overlap; most notably the vulnerability scanning and penetration testing tools.
You will notice the list of free tools includes some that are used specifically to scan web applications. What is the difference between a website and an application? Ben Shapiro from Segue Technologies provides the comprehensive long answer. If you want the short answer, stackoverflow puts it succinctly:
“[A website] is a collection of documents that are accessed via the internet through a web browser. Web sites can also contain web applications, which allow visitors to complete online tasks such as: Search, View, Buy, Checkout, and Pay.”
The important thing is that you should take an holistic approach when testing your website. If in doubt, just test everything. Free website security tools make it easy and cost you nothing but your time.
- Develop a test strategy: Most website security tools work best with other types of security tools. A good example is the area of penetration testing. Administrators normally employ vulnerability scanners before utilizing a penetration testing tool for specific targets, e.g. network ports or applications. For instance, Wireshark is both a network analyzer and penetration testing tool.
An all-purpose vulnerability scanner is probably the best place to start. But, if you are primarily interested in scanning your developers’ code, head over to the static source code analyzers section below. Want to check how secure your passwords are? We have sourced some free password cracking tools for you too.
- One size does not fit all: All free website security tools have advantages and disadvantages and there is rarely a one-size-fits-all solution. For instance, as an analyzer tool, top-rated network scanning tool Wireshark does the same job as the Fiddler tool, and more effectively. However, Wireshark cannot sniff traffic within the same machine (localhost) on Windows. If you need to sniff local traffic on Windows, you have to use Fiddler.
- Analyzing results: Do not trust the results of one scan! We tested a number of scanners on both safe and unsafe sites and the results were markedly different. That brings us to false positives. These can be annoying but bear in mind that they are better than false negatives. Something as simple as a configuration change or a software update could trigger an alert that should be checked out.
- Get free support: If you want to use free tools, you should ideally have some security knowledge as most free tools do not have customer support; you have to do all the dirty work yourself. Alternatively, visit The Joomla! Forum, Ubuntu Forums, ASP.NET, MBSA, or Bleeping Computer to post your questions and search for solutions.
- Keep it fresh: The downside to free tools is that they may not be regularly updated with the latest known vulnerabilities. Always check the date of the latest version released.
What you need to know about free website security tools
There are three main types of tools associated with application vulnerability detection:
- Black Box Testing – Method of software testing that examines the functionality of an application without examining its internal structures. Testing focuses on what the software is supposed to do, not how. Included in this category are vulnerability scanners, web application security scanners, and penetration testing tools.
- White Box Testing – Method of testing software that focuses on the internal structures of an application at the source code level, as opposed to its functionality. Static source code analyzers and penetration testing tools fall into this category. With penetration testing, White Box testing, according to Wikipedia, refers to a methodology where a White Hat hacker has full knowledge of the system being attacked. The goal of a White Box penetration test is to simulate a malicious insider who has knowledge of and possibly basic credentials for the target system.
- Gray Box Testing – In cyberspace, the line demarcating the categories has blurred, giving birth to this new model of testing which combines elements of both Black and White Box methods.
Common website vulnerabilities
The well-respected Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. It is the emerging standards body for web application security and annually publishes a list of top 10 website vulnerabilities for a given year.
For each vulnerability, we have included a link to a site that will give you more technical details if you are interested.
- SQL injection – Code injection technique in which malicious SQL statements are inserted into an entry field for execution. The technique is used to manipulate (e.g. download) or corrupt data. It targets user input that is not properly validated and escaped. An attacker can exploit this vulnerability by replacing user input with their own commands, which are sent directly to the database. Example: The Philippines’ Commission on Elections breach.
- Broken Authentication and Session Management – Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently.) Example: The 17 Media Breach.
- Cross site scripting (XSS) – This attack comes in multiple flavors. At its most basic, it enables attackers to inject client-side scripts into web pages viewed by other users. It relies on an underlying concept of trust known as the same-origin policy, which says that if content from one site is granted permission to access resources on a system, then any content from that site will share these permissions. After breaching a trusted site, attackers can include their malicious content in the content that is delivered to the client-side site and gain access to its information treasures. Example: EBay’s stored XSS.
- Broken access control – Attackers can use leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Example: Adult Friend Finder breach.
- Security configuration flaws – This is a result of “incorrectly assembling the safeguards of the web application” leaving a breachable security hole in a server, database, framework, or code. Example: The Mexican Voters Breach.
- Sensitive data exposure – Many web applications and APIs do not properly protect sensitive info, such as financial or healthcare data. Attackers may steal or modify weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Example: The Indian Institute of Management breach.
- Insufficient attack protection – The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks. Example: The Three breach.
- Cross site request forgery (CSRF) – Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated without their knowledge. By luring a user to an attacker-controlled website, a hacker can modify a user’s requests to the server. Example: Facebook attack.
- Using components with known vulnerabilities – Components, such as libraries, frameworks, and other software modules run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Example: Mossack Fonesca (Panama Papers) breach.
A vulnerability scanner is specialized software that scans your network, system or servers to identify bugs, security holes and flaws. It automatically tests a system for known vulnerabilities. It first identifies open ports; active Internet Protocol (IP) addresses and logons; and operating systems, software and active services. It then compares the information it finds against known vulnerabilities in its database or a third-party database. To the man in the street, it works much the way garden variety antivirus software does, but is a lot more sophisticated. For instance, the best vulnerability scanners are smart enough to include patch management and penetration testing components. There is some overlap between vulnerability scanners and penetration testing tools. The latter use vulnerabilities discovered by the scanners to perform breaches and prove the capability to compromise the vulnerability. The following are all totally free tools.
OpenVAS is a scanning security kit comprised of various services and tools. The scanner itself doesn’t work on Windows machines but there is a client for Windows. It receives a feed, updated daily, of 30000+ Network Vulnerability Tests (NVT). The tool was forked from the last free version of Nessus, another vulnerability scanner, after it went proprietary in 2005. The German Federal Office for Information Security (BSI) uses OpenVAS as part of their IT security framework.
- Massive vulnerabilities database
- Concurrent scan tasks capability
- Scheduled scans
- False positive management
- Free for unlimited IPs
- Good all-rounder
- Not the easiest tool to install for newbies
- Main component – the scanning engine – requires Linux
MBSA scans Microsoft desktops and servers for missing security updates, security patches, and common security mis-configurations.
- User-friendly interface allows you to scan local or remote machines; select a single machine to scan, or choose an entire domain or specify an IP address range; and choose exactly what you want to scan for, e.g. weak passwords or Windows updates
- Provides specific remedial suggestions when vulnerabilities are found
- Active forum provides quality support
- Does not scan non-Microsoft software
- Does not scan for network-specific vulnerabilities
Aimed at small businesses as well as individuals that use multiple computers connected to a local network, Nexpose can scan networks, operating systems, web applications, databases, and virtual environments. It integrates with the popular Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Involved is a very active community of penetration testers and security researchers who are driving the development of these exploits that are then turned into vulnerability definitions.
- Includes a nice option to set policies to define and track your required compliance standards
- Enables detailed visualizations of scanned data
- Can be installed on Windows, Linux, or virtual machines
- Free version is limited to 32 IPs at a time
TripWire calls its SecureCheq a configuration evaluator utility. It tests for about two dozen critical but common configuration errors related to OS hardening, Data Protection, Communication Security, User Account Activity, and Audit Logging. This free tool would work best in conjunction with a more robust scanner, like the Microsoft Baseline Security Analyzer (MBSA).
- Easy to use for beginners
- Provides detailed remediation and repair advice
- Only does local scans on Microsoft machines
- Free version of this tool only provides about a quarter of the settings of the paid version
Lightweight scanner that can be used to evaluate the state of your website vulnerability and help you make a decision about what level of protection you need going forward. A trusted name, Qualys was the first company to deliver vulnerability management solutions as applications through the web using a “software as a service” (SaaS) model.
- Perimeter scanning Web application scanning
- Malware detection
- Limited to ten unique security scans of internet accessible assets
Simple, lightweight tool that scans for basic web application vulnerabilities. It is aimed at developers who want to customize small scans during the coding process.
- Useful for small websites
- No GUI
- Reports in XML only
- Tends to be a bit a bit slow
Performs Black Box testing of web applications. It does not review the source code of the application but will scan the web pages of a deployed application, looking for scripts and forms where it can inject data. Armed with this data, it acts like a fuzzer, injecting payloads to see if a script is vulnerable.
- Generates vulnerability reports in various formats (e.g. HTML, XML, JSON, TXT)
- Can suspend and resume a scan or an attack
- Can highlight vulnerabilities with color in the terminal
- Command line interface
- Can produce multiple false positives
This is a web application attack and audit framework that can be used in conjunction with penetration testing tools. Sponsors include Openware (now Globant), Cybsec, Bonsai, and Rapid7. The company is an enthusiastic contributor at T2 Infosec conferences, dedicated to those who are interested in the technical aspects of information security.
- Popular, well-supported open-source application
- Easy-to-use GUI
- Easily extendable
- Identifies over 200 vulnerabilities
- Uses w3af plugins, which are pieces of Python code that extend the framework functionality by providing new ways to extract URLs or find vulnerabilities
- Compatible with all Python supported platforms
- Supports Windows but not officially
Penetration testing software
A penetration test (pen test) is an authorized simulated attack on a computer system that looks for unknown security weaknesses. A pen test tool essentially emulates a hacker with the ultimate goal being to test the organization’s defense capabilities against the simulated attack. During a pen test, a mixture of automated scans and manual exploitation techniques are used. For example, an automated tool like Nmap, which provides basic network discovery, can be used within an exploitation framework (e.g. Metasploit).
Pen testing requires highly specialized skills. To get started, PentesterLabs offers free training exercises and below you will find a list of open source and free tools to get you started.
Integrated pen testing tool for finding vulnerabilities in web applications. It functions as a proxy between a user’s web browser and an application to enable both automated and manual security testing of web applications. Can help developers automatically find security vulnerabilities in web applications while they are developing them. Also used by pen testers for manual security testing by inputting a URL to perform scanning, or using the tool as an intercepting proxy. Between 2013 and 2016, Zap was voted either first or second every year in the ToolsWatch Annual Best Free/Open Source Security Tool Survey.
- Completely free
- Easy to install
- Typically run as an interactive UI and acts as an intercepting proxy, so you can change requests dynamically
- Primarily designed to help you find security vulnerabilities manually
- Not really intended to run as a purely automated scanner
This tool is categorized as a proxy server application. It is primarily used to intercept and decrypt HTTPS traffic. Users can fiddle with and inspect that traffic to identify vulnerabilities in the application. Watcher is a Fiddler addon, designed to assist penetration testers in passively finding web application vulnerabilities.
- Debug traffic from PC, Mac or Linux systems and mobile (iOS and Android) devices
- Can capture local traffic by using the machine’s name as the host name rather than ‘localhost’
- Only supported on Windows
Framework that enables pen testers to access and execute proven exploits, which are stored in Metasploit’s database. The framework has the world’s largest database of public, tested exploits. It has consistently ranked among the top ten security application tools since its inception. The Meterpreter displays the results after an exploit has occurred.
- Large exploits database
- Extensive collection of tools to perform tests
- Command line interface
Kali Linux is the ultimate tool for offensive pen testing and one of the most popular security frameworks in the industry. However, according to the developers, it is “NOT a recommended distribution if you’re unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development, web design, gaming, etc.”
- Incorporates more than 300 penetration testing and security auditing programs
- Will not work in a VM unless you use an external USB wireless dongle
Network scanners map your entire network and determine what is connected to it. They can look for hosts and open ports, and identify all software and hardware versions in use. Check out the following free tools.
Used for network discovery and security auditing. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services they offer, what operating systems they are running, and what type of packet filters / firewalls are in use. It can be used to provide information to plan pen testing attacks. Fun fact: Nmap was (apparently) featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
- Includes command line and GUI versions
- Runs on all major operating systems such as Windows, Linux, and Mac OS X
- Zenmap is the official Nmap GUI, which makes it easier for beginners to get started
- No proxy scanning
- As a port scanner, it can be “loud.” Port scanners require generating a lot of network traffic. There is an inverse relationship between stealth and speed so port scanners can slow a network down and / or stand out on the network like the proverbial elephant in the room, i.e. be “loud.”
Network protocol and data packet analyzer and pen testing tool with a powerful filtering system. Wireshark has a huge army of volunteer networking experts around the globe.
- Allows users to specify what kind of traffic they want to see, e.g. only TCP packets
- Can capture packets from VLAN, Bluetooth, USB and other types of network traffic Available for almost any platform, including Linux, Windows, Mac, Solaris, and OpenBSD
- Powerful filter options in easy-to-use GUI
- Steep learning curve unless you have some understanding of TCP/IP networks
Static source code analyzers
Static code analyzers automate the checking of code quickly without actually executing the code. Because they only look at the source code of an application, you do not have to set up your whole application stack to use them. These tools are usually language-specific and can assist developers in identifying security issues. Unit testing and code reviews complement static code analysis. The biggest drawback to these free tools is that they often generate many false positives.
Works with C++, C#, VB, PHP, PL/SQL, and Java.
- Searches for specific violations of OWASP recommendations
- Allows custom query configurations so you can add additional functions
- Has a set list of vulnerabilities that cannot be modified
Eclipse plugin that detects vulnerabilities of untrusted data injection in Java EE Applications. It works by looking for a “vulnerability sink” from a vulnerability source. The source of a vulnerability refers to the injection of untrusted data, e.g. in the parameters of an HTTP request or a cookie. The term “sink” refers to the process of data modification to manipulate the behavior of an application, e.g. a HTML page.
- Tests validation logic without compiling the code
- Doesn’t identify compilation errors
- Limited to Eclipse IDEs
Interrogates Ruby on Rails code. It is used by Twitter, GitHub, and Groupon.
- Easy setup and configuration
- Fast scans
- Can show a high rate of false positives
According to RIPS, “By tokenizing and parsing all source code files, RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities, RIPS offers an integrated code audit framework.” In 2016, a rewritten version of RIPS was released as a commercial product by RIPS Technologies, a high-tech company based in Germany.
- Easy setup and configuration
- Fast scans
- Free version is limited and only supports 15 vulnerability types
Analyzes managed code assemblies (code that targets the .NET Framework common language runtime.) This is a good example of how to utilize complementary tools in your toolbox. FxCOP, according to excella, works best in conjunction with a static code analyzer tool like StyleCop because both tools have different code analysis approaches. “StyleCop runs against C# source code but cannot analyze VB.NET or another .NET language source code. FxCop runs against .NET compiled binaries but cannot analyze source code and aspects like the proper use of braces, whitespace, or comments.”
- Assembly metadata works with code created in any .NET language
- Extensive set of rules available out of the box
- Limited to assembly metadata
- Only produces one type of report
Bandit is a security linter (a program that scans source code and flags any constructs that are likely to be bugs) for Python source code, utilizing the ast module from the Python standard library. The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes.
- Extremely customizable, e.g. various plug-ins can be turned off, or certain directories can be excluded from scans
- Users can also write their own customized plug-ins
- No GUI
Fuzz testing (fuzzing) is used to identify coding errors and security vulnerabilities. It involves inputting large amounts of random data in an attempt to make an application or network crash.
An open source, coverage-assisted fuzz testing tool developed by Michał Zalewski of Google. He describes his tool as “a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm.” AFL has found vulnerabilities in various popular web apps, including Firefox, Flash, LibreOffice, Internet Explorer, and Apple Safari.
- What Zalewski calls a “hip, retro-style UI”
- Proven efficacy
- You have to be a little retro yourself to truly appreciate the (old-fashioned) GUI
A popular fuzzing engine and fuzz testing framework consisting of multiple extensible components. What makes it different from other fuzzers is that it is not purely a data generation tool. It detects, tracks and categorizes detected faults; can fuzz in parallel, significantly increasing test speed; and can automatically determine what unique sequence of test cases trigger faults. Boofuzz is a fork of the Sulley fuzzing framework.
- Fully automated – after causing a breakdown, it can automatically reset the system back to a state of normality and then continue fuzzing a new test case
- No recent version updates
Password cracking tools
These free tools are used by security administrators to find weak and vulnerable passwords that could easily be compromised by a hacker. The three most common password attacks are:
- Dictionary: Uses a supplied file that contains a list of dictionary words.
- Brute-force: Using a dictionary list, systematically tries all possible combinations for a password. Unless the attacker gets lucky, this process could take a while, particularly for long passwords that use a combination of letters, numbers, and symbols.
- Rainbow table: Most databases store cryptographic hashes of users’ passwords in a database. No one can determine a user’s password simply by looking at the value stored in the database. When a user enters his or her password, it is hashed and that output is compared to the stored entry for that user. If the two hashes match, access is granted. A hash table is a kind of reference table used by hackers. These pre-computed password hashes are stored in the table to reduce the length of time needed to crack a password. Rainbow tables go a step further by reducing the size of the hash table, making them more efficient.”
THC Hydra is a network login hacking tool that uses dictionary or brute-force attacks to try various password and login combinations against a login page.
- Supports a wide set of protocols including mail (POP3, IMAP, etc.), LDAP, SMB, VNC, and SSH
- Supports most major platforms
Brute-force attack tool that can be used during penetration testing.
- Crowbar can use SSH keys instead of the typical username and password combination
- Command line only
Uses the dictionary attack technique. It is a good all-rounder comprising a suite of various password cracking combinations.
- Ability to auto-detect password hash types
- Supports most major platforms
Windows password cracker based on rainbow tables.
- Includes brute-force module for simple passwords
- Supports most major platforms
WordPress security tools
Specialized security tools for WordPress websites can be sourced at wordpress.org. WordPress is so popular that there are plenty of reviews for plugins, providing a fairly objective overview of a tool’s features. Let us look at a few of the most popular offerings.
Includes login security; IP blocking features; security scanning for malware and “backdoors”; firewall protection; and extensive monitoring options.
Described by the developers as the #1 WordPress security plugin. However, read the negative reviews before downloading this plugin. One eagle-eyed reviewer pointed out that when iThemes found themselves compromised and subsequently attacked in 2016, they deployed a new website firewall from rival Sucuri. Does that matter? You be the judge.
The best thing Sucuri Security is that all features are free. The premium plugin was deprecated back in 2014 and all the major features were merged into the free plugin.
Online website scanning tools
Online free tools are fast and easy to use. While they are not guaranteed to conclusively identify your website’s vulnerabilities, they can help you pinpoint areas that need further investigation.
Enter your website address for a free summary of potential website vulnerabilities. Checks for known malware, blacklisting status, website errors, and out-of-date software.
- No need to enter your email address to receive results
Includes comprehensive list of website issues, including performance, SEO, and security.
- Provides more information than other tools. Takes a little longer to scan (but that is good, right?)
- No need to enter your email address but you can request that results are emailed to you
- You need to sign up for a 30-day free trial to learn how to fix serious issues
- Limited to one scan a day
Performs a deep analysis of the configuration of SSL web servers.
- No need to register
- Provides a comprehensive list of SSL obsolescence and compatibility issues
Scans web page to see if it is malicious or not.
- Will scan only a single page at a time
Does not attempt any attack sequences or other malicious activity; it simply makes some benign requests to see how the site responds.
- ASafaWeb has a dedicated not-so-safe site purely for demo purposes at notasafaweb.apphb.com which you can scan and view the results
This free tool tests website headers. According to the developer, the HTTP response headers that this site analyses provide huge levels of protection. For instance, Content Security Policy (CSP) is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
- Fast and provides full description of the missing headers and how to fix any issues
Where to next?
Visit the Web Application Vulnerability Scanner Evaluation Project (wavsep) website. Wavsep is an evaluation platform that contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. You can view the analyses of how various scanners, both free and commercial, tested against wavsep here. The results indicate how accurate these scanners are in identifying common website vulnerabilities and how many false positives they threw up in benchmark tests. You will find many of the free tools mentioned in this post on the Wavsep site.