Ethical Hacking
  • Introduction to Information Security
    • What is Hacking?
    • Type of Hacking
    • Exercise
    • Uses of Proxy Servers
    • Summary Proxy & VPN
    • Summary
  • Gathering Information About Websites
    • Gathering Information
    • Gathering Targeted Information
  • Google Droks
  • Introduction to Web Architecture and Understanding Common Security Misconceptions
    • Web Servers
    • Web Server Architecture
    • Web Server Architecture Combinations
  • VA & PT
    • OWASP
    • SQL Injection
    • Advanced SQL Injections
    • Burp Suit
      • Client Side Validation Burp Suite Bypass
      • Client Side Validation Burp Suite Bypass
      • GET Based IDOR in URL
      • Post Based IDOR Variant
      • GET Based IDOR in URL
      • Post Based IDOR in URL
      • Download based
  • Arbitrary File Upload Vulnerabilities
    • Server Side Attack
    • Server Side Attack
    • Client Side Attack
  • Understanding Response Headers
    • Event Listeners
  • Fundamentals of Cross Site Scripting (XSS)
    • Temporary XSS
  • Understanding Forced Browsing and Session-Cookie Flaws
    • Forced Browsing
    • Cross Site Request Forgery
    • Open Redirection
  • Dictionary Based Brute Force Attacks
    • Dictionary Based Bruteforcing
    • Logical Bruteforcing
    • PII Leakage Variant
  • Identifying Security is configurations and Exploiting Outdated Web Applications
    • Information Disclosure via Descriptive Messages
    • Default Debug Pages
    • How to guess password for a standard login page
    • Default/Weak Password in Custom CMS
    • Fingerprinting Components with Known Vulnerabilities
    • Finding Exploits for Components with Known Vulnerabilities
    • Default/Weak Password in Public Software
    • Vulnerable Components Installed
    • Vulnerable Components Installed 2
    • Vulnerable Components Installed 3
  • Scanning for Bugs in WordPress and Drupal
    • What is CMS?
    • Variant 1
    • Vulnerable CMS
    • How to Scan Drupal CMS for Known Vulnerabilities?
    • Joomla CMS
  • Automating VAPT and Secure Code Development
    • information gathering
    • Nmap Scans
    • Automating VAPT:
  • POC
    • Recommendations for Documenting a Vulnerability
    • PoC
    • Types of Reports
    • Recommendations for OWASP Top 10 Vulnerabilities
    • Components of a VAPT Report
    • Vulnerability Information (for each vulnerability)
    • Bad Practices to Avoid While Writing a Report
Powered by GitBook
On this page
  1. Automating VAPT and Secure Code Development

Automating VAPT:

Here is a list of some tools that are used for automating VAPT:

  • Burp Suite Pro - Complete overall semi-automated VAPT for technical flaws such as SQLi, XSS, Command injection, CSRF, etc.

  • Acunetix - Completely automated VAPT with minimal human intervention (like for login pages) for overall bugs - technical or non technical.

  • Nikto - Free open-source tool which is a bit old and is mainly used to find configuration issues on the web server.

  • OWASP ZAP Proxy - Similar to Burp Suite, but available free of cost.

  • Nessus - Completely automated VAPT for network-based and server-based vulnerabilities.

  • Metasploit - One of the most widely used free tool containing various semi-automated modules to check for and exploit vulnerabilities.

Since massive amount of research and testing goes into developing these tools, most of these are paid. But, most paid tools also have a free to use alternative. This alternative may not be as user friendly as the paid version and may not generate impressive reports, but they can give you a hint of where to do manual attacks. BurpSuite community version that we have used in this training is a free alternative for the paid version called BurpSuite Pro.

PreviousNmap ScansNextPOC

Last updated 1 year ago