- Reason: Testers had performed multiple automated functionality tests excluding “Stress Test” on the web application. In that situation, we need a tool to perform Stress Test on the web applications. You can pick any of following open source tools for your web application performance hike. Siege Locust.io.
- All in all, Webserver Stress Tool is a very nice application for performing a wide range of stress tests for your webserver. Test web server Stress Tool Simulate load Web server Load.
- Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration.
- Microsoft offers this excellent tool for free, and you can download it from Microsoft Technet. It’s even open source, so you can download and inspect or modify the source code from GitHub. Diskspd has been tested to work on desktop versions of Windows 7, 8, 8.1, 10, as well as Windows Server 2012, 2012 R2, and 2016 Technical Preview 5.
Even the most novice among website owners has at some point or other tested their website performance. However, most of these tests normally focus on loading speed or user experience indices.
But what about load testing?
K6 offer 50 cloud test for free. I hope the above cloud-based services help you perform the load test on your web applications for better capacity planning. Alternatively, if you are looking to use JMeter in-house and need some guidance, check out this video course. Next, check out webserver load test tools to benchmark the performance.
Although most websites are prone to traffic levels that are usually quite regular, there may be occasions when some sites will have to deal with heavy loads. Examples of these include online stores, or even some government websites.
If your website gets an unexpected spike in the number of visitors over a short period, how well are you equipped to handle it?
Understanding Load Testing
What is load testing?
Load testing is bench-marking a website to see how it performs under various loads.
For example, a test may simulate an increasing number of concurrent visitors landing on your site. It will also record how your site handles them and records them for your reference.
Web Server Stress Test Tool Open Source Software
What types of “load” are tested?
Depending on the tool you choose to load test your site with, each may come with different features. The most basic will simply involve simulating an ever increasing load and halting when your site crashes.
Other tools may be capable of generating a simulated load that mimics different user behaviour, such as performing queries, changing pages, or loading other functions. Some may even be able to map out logical flows for each individual scenario.
Load Testing Tools to Consider
Depending on their complexity, some load testing tools can be quite expensive. However, there are cheaper options in the market and some are even free for use. I’ve included a mixture of these below for your reference, including a couple of open source options.
1. Loadview by Dotcom Monitor
Price: From $199/mo, free trial available
Loadview is one of the more complete solutions available in the market and today is based on a cloud service model. This means that whatever type of simulation you need from them, you only pay for the service – there is zero investment in hardware or anything else.
Feature wise, Loadview offers a very complex solution that can include anything from straight up HTTP load tests to a sophisticated mix of your choice. It is able to simulate dynamic variables and even geo-location diversity in its tests.
Features
- Post-firewall tests
- Handles dynamic variables
- Detailed waterfall charts
- Load test curves
2. K6 Cloud (formerly Load Impact)
Price: From $49/mo
K6 is a cloud-based, open source load testing tool that’s provided as a service. One of the things that makes this tool interesting is that it is priced on a variable-use model which means that the cost of entry can be relatively low depending on your needs. It is, however, mainly developer-centric.
Aside from load testing, K6 also offers performance monitoring. Its load testing side is focused on high loads and can handle various modes such as spikes, stress testing, and endurance runs.
*K6 does not run in browsers nor does it run in NodeJS
Features
- Developer-friendly APIs.
- Scripting in JavaScript
- Performance monitoring
3. Load Ninja
Price: From $270.73/mo
Load Ninja lets you load-test with real browsers based on recorded scripts and then helps analyze performance results. Its use of real browsers at scale means that this tool helps recreate a more realistic environment and end result for testing.
Results can be analyzed in real-time and thanks to the handy tools the system provides, your scripting time can be reduced by as much as 60%. Internal applications can be tested as well, both with proxy-based fixed IPs or your own range of dynamic IPs (by using a whitelister).
Features
- Test with thousands of real browsers
- Diagnose tests in real-time
- Insights on internal application performance
4. LoadRunner by Micro Focus
Price: From $0
With an entry-level free community account that supports tests from 50 virtual users, LoadRunner is available even to the newest website owners. However, if you scale it up to high levels the cost rises exponentially.
This Cloud-based service also offers the use of an Integrated Development Environment for unit tests. It supports a wide range of application environments including Web, Mobile, WebSockets, Citrix, Java, .NET, and much more. Be aware that LoadRUnner can be pretty complex and has a steep learning curve.
Features
- Patented auto-correlation engine
- Supports 50+ technologies and application environments
- Reproduces real business processes with scripts
5. Loader
Price: From $0
Compared to what we’ve shown so far, Loader is a much simpler and more basic tool. Its free plan supports load testing with up to 10,000 virtual users which is enough for most moderate traffic websites.
Unfortunately you will need to have a paid plan to access more advanced features such as advanced analytics, concurrent tests, and priority support. It is easy to use though since basically you just add your site, specify the parameters, then let the test run.
Features
- Shareable graphs & stats
- Useable in a GUI or API format
- Supports DNS Verification and priority loaders
6. Gatling
Price: From $0
Gatling comes in two flavors, Open Source or Enterprise. The former lets you load-test as an integration with your own development pipeline. It includes both a web recorder and report generator with the plan. The Enterprise version has on-premise deployments or alternatively, you can opt for a Cloud version based on Amazon Web Services (AWS).
Although both of these versions are feature-packed, the Enterprise version supports a few extras that don’t come with Open Source. For example, it has a more usable management interface and supports a wider range of integrations.
Features
- Multi-protocol scripting
- Unlimited testing and throughput
- Gatling scripting DSL
7. The Grinder
Price: From $0
Grinder is open sourced all the way and is probably the only truly free option on this list. However, it has to be run locally in your own development environment and needs a few extra such as Java in order to work.
However, being open source it has been adopted widely and developers have come up with a plentiful number of plugins which vastly extend it in terms of both use-ability and functionality. Still, unless you’re a developer or so oriented, The Grinder might be a bit of a handful for you to use.
Features
- Flexible scripting based on Jython and Clojure
- Highly modular with tons of plugins
- Distributed framework and mature HTTP support
When to Load Test Your Website?
If you’ve had a look at most of the tools available, you will probably have noticed that many of them offer either trial accounts or some form of limited free version. This makes them readily available for use for a wide audience.
Most website owners need to be concerned about hosting performance since it affects far more than simply user experience. For many business owners, the availability of your website is also a matter of brand reputation.
Sites which are growing need to be especially cautious of availability and scalability of the resources used to hosting your website. In most cases a high percentage of user response time is spent on the surface of your site. However, as sites grow in traffic volume this might change.
More traffic usually means a disproportionate growth in backend processing and your system will struggle as that spikes. Much will depend on variables unique to your site development, so it isn’t possible to give you a solid number of visitors at which point this will happen.
To realistically see how your site performance you need load testing to be done. Exactly when to do it is debatable, but my advice would be to plan ahead and test early.
What to Check for When Load Testing?
As the very name implies, your core function should be the basic of how your site performs under loads. This will let you observe a number of things such as:
- At what point your site performance starts to degrade
- What actually happens when service degrades
When I mentioned how different sites may react differently based on their architecture, that was a signal meant for you to understand that not all sites fail in the same way as well. Some database-intensive sites might fail on that point, while others may suffer IO failures based on server connection loads.
Because of this, you need to be prepared to set up a variety of tests to understand how your site and server will cope under various scenarios. Based on those, keep a close eye on a few key metrics such as your server response time, the number of errors cropping up, and what areas those faults may lie in.
Generating complex scripts and runs along with the accompanying logic can be difficult. I suggest that you approach load testing incrementally. Start with a brute force test that will simply test your site under a continuously increasing stream of traffic.
As you gain experience, add on other elements such as variable behaviour, developing your scripts and logic over time.
Conclusion: Some is Better than None
When it comes to load testing, starting with the basics is better than not getting started at all. If you’re a beginner to all of this, do try to do your testing on an alternate mirror or offline where possible – avoid load testing a live site if you can!
If you’re just starting out now, make sure to create a record of your tests. Performance testing is a journey that should accompany the development of your site as it grows. The process can be tiring but remember, not having a record can make future assessments much more difficult for you.
Web Server Stress Test Tool Open Source Free
Description
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.
Here we provide a list of vulnerability scanning tools currently available in the market.
Disclaimer: The tools listing in the table below are presented in alphabetical order. OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below.
OWASP is aware of the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). WAVSEP is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.
Tools Listing
| Name/Link | Owner | License | Platforms | Note |
|---|---|---|---|---|
| Abbey Scan | MisterScanner | Commercial | SaaS | |
| Acunetix | Acunetix | Commercial | Windows, Linux, MacOS | Free (Limited Capability) |
| App Scanner | Trustwave | Commercial | Windows | |
| AppCheck Ltd. | AppCheck Ltd. | Commercial | SaaS | Free trial scan available |
| AppScan | HCL Software | Commercial | Windows | |
| AppScan on Cloud | HCL Software | Commercial | SaaS | |
| AppSpider | Rapid7 | Commercial | Windows | |
| AppTrana Website Security Scan | AppTrana | Free | SaaS | |
| Arachni | Arachni | Free | Most platforms supported | Free for most use cases |
| BREACHLOCK Dynamic Application Security Testing | BREACHLOCK | Commercial | SaaS | |
| BlueClosure BC Detect | BlueClosure | Commercial | Most platforms supported | 2 week trial |
| Burp Suite | PortSwiger | Commercial | Most platforms supported | Free (Limited Capability) |
| Contrast | Contrast Security | Commercial | SaaS or On-Premises | Free (Full featured for 1 App) |
| Crashtest Security | Crashtest Security | Commercial | SaaS or On-Premises | |
| Cyber Chief | Audacix | Commercial | SaaS or On-Premises | |
| Detectify | Detectify | Commercial | SaaS | |
| Digifort- Inspect | Digifort | Commercial | SaaS | |
| Edgescan | Edgescan | Commercial | SaaS | |
| GamaScan | GamaSec | Commercial | Windows | |
| GoLismero | GoLismero Team | Open Source | Windows, Linux and Macintosh | GPLv2.0 |
| Grabber | Romain Gaucher | Open Source | Python 2.4, BeautifulSoup and PyXML | |
| Gravityscan | Defiant, Inc. | Commercial | SaaS | Free (Limited Capability) |
| Grendel-Scan | David Byrne | Open Source | Windows, Linux and Macintosh | |
| HostedScan.com | HostedScan.com | Commercial | SaaS | Free Forever |
| IKare | ITrust | Commercial | N/A | |
| ImmuniWeb | High-Tech Bridge | Commercial | SaaS | Free (Limited Capability) |
| Indusface Web Application Scanning | Indusface | Commercial | SaaS | Free trial available |
| InsightVM | Rapid7 | Commercial | SaaS | Free trial available |
| Intruder | Intruder Ltd. | Commercial | ||
| K2 Security Platform | K2 Cyber Security | Commercial | SaaS/On-Premise | Free trial available |
| N-Stealth | N-Stalker | Commercial | Windows | |
| Nessus | Tenable | Commercial | Windows | |
| Netsparker | Netsparker | Commercial | Windows | |
| Nexpose | Rapid7 | Commercial | Windows/Linux | Free (Limited Capability) |
| Nikto | CIRT | Open Source | Unix/Linux | |
| Probely | Probely | Commercial | SaaS | Free (Limited Capability) |
| Proxy.app | Websecurify | Commercial | Macintosh | |
| QualysGuard | Qualys | Commercial | N/A | |
| ReconwithMe | Nassec | Commercial | SaaS | Free (Limited Capability) |
| Retina | BeyondTrust | Commercial | Windows | |
| Ride (REST JSON Payload fuzzer) | Adobe, Inc. | Open Source | Linux / Mac / Windows | Apache 2 |
| SOATest | Parasoft | Commercial | Windows / Linux / Solaris | |
| Sec-helpers | VWT Digital | Open Source or Free | N/A | |
| SecPoint Penetrator | SecPoint | Commercial | N/A | |
| Security For Everyone | Security For Everyone | Commercial | SaaS | Free (Limited Capability) |
| Securus | Orvant, Inc | Commercial | N/A | |
| Sentinel | WhiteHat Security | Commercial | N/A | |
| StackHawk | StackHawk | Commercial | SaaS | |
| Tinfoil Security | Tinfoil Security, Inc. | Commercial | SaaS or On-Premises | Free (Limited Capability) |
| Trustkeeper Scanner | Trustwave SpiderLabs | Commercial | SaaS | |
| Vega | Subgraph | Open Source | Windows, Linux and Macintosh | |
| Vex | UBsecure | Commercial | Windows | |
| WPScan | WPScan Team | Commercial | Linux and Mac | Free options |
| Wapiti | Informática Gesfor | Open Source | Windows, Unix/Linux and Macintosh | |
| Web Security Scanner | DefenseCode | Commercial | On-Premises | |
| WebApp360 | TripWire | Commercial | Windows | |
| WebCookies | WebCookies | Free | SaaS | |
| WebInspect | Micro Focus | Commercial | Windows | |
| WebReaver | Websecurify | Commercial | Macintosh | |
| WebScanService | German Web Security | Commercial | N/A | |
| Websecurify Suite | Websecurify | Commercial | Windows, Linux, Macintosh | Free (Limited Capability) |
| Wikto | Sensepost | Open Source | Windows | |
| Zed Attack Proxy | OWASP | Open Source | Windows, Unix/Linux, and Macintosh | Apache-2.0 |
| beSECURE (formerly AVDS) | Beyond Security | Commercial | SaaS | Free (Limited Capability) |
| w3af | w3af.org | Open Source | Linux and Mac | GPLv2.0 |
References
- SAST Tools - OWASP page with similar information on Static Application Security Testing (SAST) Tools
- Free for Open Source Application Security Tools - OWASP page that lists the Commercial Dynamic Application Security Testing (DAST) tools we know of that are free for Open Source
- http://sectooladdict.blogspot.com/ - Web Application Vulnerability Scanner Evaluation Project (WAVSEP)
- http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria - v1.0 (2009)
- http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners - White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners - By Larry Suto (2010)
- http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html - NIST home page which links to: NIST Special Publication 500-269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)
- http://www.softwareqatest.com/qatweb1.html#SECURITY - A list of Web Site Security Test Tools. (Has both DAST and SAST tools)