In this section, we'll take a look at the different tools used by security professionals to perform web application penetration tests.

The most important tool for testing web applications is the HTTP Proxy. This tool allows you to intercept all the communication between the browser and the server in both directions. These proxies are called man-in-the-middle proxies. These tools will let us understand how an application works, and most importantly, it will allow us to intercept the requests, responses, and modify them.

Usually, the proxy will run in the same machine as the browser you're using for testing the application. The most used HTTP proxies by security professionals are Burp Suite from PortSwigger security (https://portswigger.net/burp/proxy.html) and Zed Attack Proxy (ZAP) (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). We also have the MITM proxy. It is a newer alternative developed in Python and is good to build tools or automate certain scenarios. The downside is that it's the only console, and there is no GUI, which for our purposes, is a benefit.

Crawlers and spiders are used for mapping web applications, automating the task of cataloging all the content and functionality. The tool automatically crawls the application by following all the links it finds, submitting forms, analyzing the responses for new content, and repeating this process until it covers the whole application.

There are standalone crawlers and spiders such as Scrapy (http://scrapy.org), which are written in Python or command-line tools such as HT track (http://www.httrack.com). We have crawlers and spiders integrated with the proxies such as Burp and ZAP that will benefit from the content that has passed through the proxy to enrich knowledge about the app.

One good example on why this is valuable is when the application is heavy on JavaScript. Traditional crawlers won't interpret JS, but the browsers will. So, the proxy will see it and add it to the crawler catalog. We'll see Scrapy in more detail later.

Now, let's step into more complex tools: the vulnerability scanners.

These tools are considered more complex as they have to automate most of the security testing methodology in one tool. They will do the crawling, discovery, vulnerability detection, and some of the exploitation. The two most used open source web application security scanners are w3af (http://w3af.org/), which is written in Python, and Arachni (http://www.arachni-scanner.com/), which is written in Ruby.

There are multiple commercial alternatives such as Acunetix (http://www.acunetix.com/), which is one of the cheapest and provides good value for money.

Web brute forces or discovery tools are used to find content such as files, directories, servlets, or parameters through dictionary attacks. These tools use word lists which have been put together by security professionals during the last 10 years, which contain known filename directories or just words found in different products or web applications.

The precursor for these types of tools was DIRB (http://dirb.sourceforge.net/), which is still available and maintained by Dark Raver. Another great alternative is Wfuzz (http://www.edge-security.com/wfuzz.php), which I developed in the past and is now maintained and developed by Xavier Mendez. You can find this tool in Kali, the most used penetration testing distribution.

Tools such as Burp and ZAP provide these capabilities. All these tools benefit from word lists such as the ones provided by FUZZDB (https://github.com/fuzzdb-project), a database of wordlists for web application testing. We'll see how to build a tool for this purpose similar to Wfuzz.

We have a vast array of tools that are focused to specific tasks such as encoders and hashers, Base 64, MD5, SHA1, and Unicode.

Tools that are created to exploit a specific type of vulnerability are, for example, SQL injectors such as SQL map, XSS consoles such as Beef to demonstrate the impact of a XSS and DOM XSS, scanners such as Dominator, and many more. Also, an important type of tool in the tool kit is the post exploitation tool.

These tools are needed once you manage to exploit a vulnerability and help you to control the server, upload files, Shells, proxy content to the internal network, and expand your attack internally. There are many other tools to overcome the infinite challenges we find while testing new applications and technologies.