The Web Security Toolbox
Web security work relies on a small set of tool categories that recur across almost every engagement: proxy-based interception tools for manipulating HTTP traffic, static and dynamic scanners for automated vulnerability discovery, dependency and secret scanners for supply-chain hygiene, and network/reconnaissance tools for mapping attack surface. Knowing which tool fits which job — and understanding that no single tool replaces manual analysis — is the difference between a checklist exercise and genuine security assurance.
Cricket analogy: A team carries a specific kit for each condition — a pink ball for day-night Tests, spikes for a grassy pitch, extra sunscreen for a hot afternoon session — the same way a security engineer picks the right tool (proxy, scanner, or recon tool) for the specific job at hand.
Intercepting Proxies: Burp Suite and OWASP ZAP
Burp Suite and OWASP ZAP sit between the browser and the target application as a man-in-the-middle proxy, letting a tester view, intercept, and modify every HTTP request and response in real time — essential for testing things like parameter tampering, hidden form fields, or manipulating a JWT before it's sent. Burp's Repeater tool lets a tester resend a modified request repeatedly to probe how the server reacts to different payloads, while its Intruder tool automates sending many payload variations (SQLi test strings, XSS payloads) against a single injection point to find which ones trigger anomalous responses.
Cricket analogy: A coach reviewing ball-by-ball footage frame by frame to see exactly how a batter's technique broke down on a specific delivery mirrors how Burp's Repeater lets a tester resend and inspect a single request over and over to see exactly how the server reacts.
# Example: using Burp Suite's Intruder via command-line automation (ffuf) as a lighter alternative
# Fuzzing a login endpoint for SQL injection payloads at the "username" parameter
ffuf -u https://target.example.com/api/login \
-X POST \
-d 'username=FUZZ&password=test123' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-w sqli-payloads.txt \
-mc all -fc 400 \
-o results.json
# sqli-payloads.txt contains lines like:
# ' OR '1'='1
# admin'--
# 1; DROP TABLE users--
Automated Scanners: SAST, DAST, and Dependency Scanning
Static Application Security Testing (SAST) tools like Semgrep, SonarQube, or CodeQL scan source code without running it, catching patterns like SQL string concatenation or use of insecure crypto functions early in the pipeline. Dynamic Application Security Testing (DAST) tools like OWASP ZAP's active scanner or Nikto instead crawl and attack a running application from the outside, catching runtime issues like misconfigured headers or reflected input that only manifest when the app is actually serving requests — the two approaches are complementary, not interchangeable, because SAST misses runtime configuration issues and DAST misses code paths it never triggers through the UI.
Cricket analogy: A team analyzes a bowler's action on video before the match (SAST-like, examining the mechanics in isolation) and separately reviews how that bowler actually performed against a live batting lineup (DAST-like, testing behavior under real conditions).
Use SAST early (pre-commit, PR gate) because it's fast and cheap to run on every change; use DAST later (staging, nightly) because it requires a running environment and takes longer, but catches issues SAST structurally cannot see, like misconfigured HTTP security headers.
Reconnaissance and Network Tools
Nmap remains the standard for network and port scanning, identifying open services and their versions on a target host, which is often the first step in mapping an attack surface before deeper application testing begins. For web-specific reconnaissance, tools like Amass or Subfinder enumerate subdomains to find forgotten staging environments or admin panels, while gobuster or ffuf brute-force hidden directories and files that aren't linked from the main site but are still reachable.
Cricket analogy: A scout watching an unfamiliar opposition team's net sessions before the series to map their strengths and weaknesses is exactly the reconnaissance phase Nmap and subdomain enumeration perform before an actual security test begins.
Never run Nmap, ffuf, Burp's active scanner, or any intrusive tool against a target you do not have explicit written authorization to test — port scanning and directory brute-forcing against systems you don't own or have permission to test can violate computer misuse laws even without any data being accessed.
- No single security tool covers every phase of an assessment — interception, scanning, and reconnaissance each require different tools.
- Burp Suite and OWASP ZAP are intercepting proxies that let testers view and modify HTTP traffic in real time; Repeater isolates single requests, Intruder automates payload variation.
- SAST tools (Semgrep, CodeQL) analyze source code statically and run fast enough for every PR; DAST tools (ZAP active scan, Nikto) test a running application and catch runtime-only issues.
- SAST and DAST are complementary, not interchangeable — each catches vulnerability classes the other structurally misses.
- Nmap, Amass, and ffuf perform reconnaissance to map attack surface (open ports, subdomains, hidden directories) before deeper testing.
- Dependency and secret scanners (npm audit, gitleaks) address supply-chain risk that application-layer scanners don't cover.
- Always confirm explicit written authorization before running any intrusive tool against a target system.
Practice what you learned
1. What is the primary difference between Burp Suite's Repeater and Intruder tools?
2. Why are SAST and DAST considered complementary rather than interchangeable?
3. What is the purpose of subdomain enumeration tools like Amass or Subfinder?
4. Why should SAST tools generally run earlier in the pipeline than DAST tools?
5. What must be confirmed before running an intrusive tool like Nmap or ffuf against a target?
Was this page helpful?
You May Also Like
Secure Coding Checklist
A practical, enforceable checklist covering input validation, authentication, authorization, dependency hygiene, and CI gating for shipping secure code by default.
Penetration Testing Basics
The fundamentals of penetration testing — how it differs from scanning, the standard engagement phases, and the black-box/gray-box/white-box testing spectrum.
Web Security Quick Reference
A fast-lookup cheat sheet of the OWASP Top 10, core HTTP security headers, and vulnerability-to-fix mappings for use during code review or interview prep.