OWASP - User contributions [en]

Phoenix/Tools

2015-12-29T18:51:58Z

A sriram:

Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

=Testing grounds=
==LiveCDs==
OWASP Live CD - http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project 
Web Security Dojo - http://dojo.mavensecurity.com/ 
Samurai WTF - http://samurai.inguardians.com 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 
moth - http://www.bonsai-sec.com/en/research/moth.php 
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/ 
Hacking-Lab Live CD - https://www.hacking-lab.com/Remote_Sec_Lab/livecd.html 

==Test sites==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Trustwave (live) - http://crackme.trustwave.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp 
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 
Google’s web application training - http://jarlsberg.appspot.com/part1/ 
OWASP TOP 10 LAB (Online) - https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html 

=External Assessment=
==Browser==
===Add-ons for Firefox that help with general web application security===
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

===Browser-based HTTP tampering / editing / replaying===
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

===Add-ons for Firefox that help with Javascript and Ajax web application security===
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

===Bookmarklets that aid in web application security===
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

===Footprinting for web application security===
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Tools==
===SSL certificate checking / scanning===
SSL Labs - https://www.ssllabs.com/ssldb/ 
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 
testssl.sh - http://drwetter.eu/software/ssl/ 
[[O-Saft]] - OWASP SSL audit for testers: list information about and test remote SSL certificate and connection [https://github.com/OWASP/O-Saft/archive/master.zip Download] 

===HTTP proxying / editing===
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp Suite - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 
Ratproxy - http://code.google.com/p/ratproxy/ 
Arachni - https://github.com/Zapotek/arachni/ 
WATOBO - http://watobo.sourceforge.net/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz 
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 
fuzzdb - https://code.google.com/p/fuzzdb/ 

===HTTP general testing / fingerprinting===
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
Websecurify - http://www.websecurify.com 
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
twill - http://twill.idyll.org/ 
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip ([http://www.stoev.org/elza.html dead link]) 
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox 

===== dead, vanished links (March/2012) =====
Mumsie - http://www.secureworks.com/research/tools/mumsie/ ([http://www.lurhq.com/tools/mumsie.html dead link]) 
Torture.pl Home Page - source probably here http://www.foo.be/docs/tpj/issues/vol2_4/tpj0204-0002.html ([http://stein.cshl.org/~lstein/torture/ dead link]) 

===Cookie editing / poisoning===
[TGZ] stompy: session id tool - http://freecode.com/projects/stompy ([http://lcamtuf.coredump.cx/stompy.tgz old link]) 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 
Cookie Safe - https://addons.mozilla.org/de/firefox/addon/2497/ 

==Fuzzer==
===Browser-based security fuzzing / checking===
Zalewski's MangleMe - http://freecode.com/projects/mangleme tool see here http://lcamtuf.coredump.cx/soft/mangleme.tgz ([http://lcamtuf.coredump.cx/mangleme/mangle.cgi mangle.cgi dead link]) 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzzer.com/ ([http://peachfuzz.sourceforge.net old link])/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - https://github.com/dzzie/COMRaider ([http://labs.idefense.com dead link]) 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.adamlock.com/mozilla/ ([http://www.iol.ie/~locka/mozilla/mozilla.htm old link]) 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285 

===== dead, vanished links (March/2012) =====
bcheck - http://bcheck.scanit.be/bcheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - <nowiki>http://linkscanner.explabs.com/linkscanner/default.asp</nowiki> (seems to be a vendor link now) 

===Application and protocol fuzzing (random instead of targeted)===
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 

===== dead, vanished links (March/2012) =====
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==3rd party services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

=Server side stuff=
==PHP static analysis and file inclusion scanning==
Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/ 
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==PHP Defensive Tools==
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/ 
Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey 
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools - http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip 
PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) - http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip, http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip 
php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) - http://code.google.com/p/ddos-shield/ 
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip, http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

=Code=
==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ 
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html 
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
* Visual Studio 2008 Code Analysis, available in:
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
* Visual Studio 2005 Code Analyzer, available in:
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
* FxCop:
** (blog) http://blogs.msdn.com/fxcop/
** (download) http://code.msdn.microsoft.com/codeanalysis
* Microsoft internal tools you can't have yet:
** http://www.microsoft.com/windows/cse/pa_projects.mspx
** http://research.microsoft.com/Pex/
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

=Database security assessment=
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

=Threat modeling=
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

=Misc=

==RSS extensions and caching==
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 
Analytics seo - http://www.analyticsseo.com/ 

==Web application security malware, backdoors, and evil code==
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.beefproject.com 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

=Browser Privacy/ Defenses=

==Browser Defenses==
Adblock Plus (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/ 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey 

==Browser Privacy==
BetterPrivacy (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ 
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/ 
Privacy Bird - http://www.privacybird.com/ 
HTTPS Everywhere - https://www.eff.org/https-everywhere

OWASP Vulnerable Web Applications Directory Project/Pages/Online

2015-12-29T18:49:35Z

A sriram:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Author
! scope="col" | Notes
|-
| [http://testphp.vulnweb.com Acuart]
| PHP
| Acunetix
| Art shopping
|-
| [http://testaspnet.vulnweb.com/ Acublog]
| .NET
| Acunetix
| Blog
|-
| [http://testasp.vulnweb.com/ Acuforum]
| ASP
| Acunetix
| Forum
|-
| [http://demo.testfire.net/ Altoro Mutual]
|
| IBM/Watchfire
| (jsmith/Demo1234)
|-
| [http://crackme.trustwave.com/ Crack Me Bank]
|
| Trustwave
|
|-
| [http://enigmagroup.org/ Enigma Group]
|
| Enigma Group
|
|-
| [http://google-gruyere.appspot.com/ Gruyere]
| Python
| Google
|
|-
| [https://public-firing-range.appspot.com/ Firing Range]
|
| Google
| [https://github.com/google/firing-range Source code]
|-
| [http://hackademic1.teilar.gr Hackademic Challenges Project]
| PHP - Joomla
| OWASP
|
|-
| [http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ Hacker Challenge]
|
| PCTechtips
|
|-
| [http://hackazon.webscantest.com/ Hackazon]
| AJAX, JSON, XML, GwT, AMF
| NTObjectives
| [http://www.ntobjectives.com/hackazon/ Project page]
|-
| [https://www.hacking-lab.com/events/registerform.html?eventid=245 Hacking Lab]
|
| Hacking Lab
|
|-
| [https://hack.me Hack.me]
|
| eLearnSecurity
| Beta
|-
| [http://www.hackthissite.org HackThisSite]
|
| HackThisSite
| Basic & Realistic (web) Missions
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
| First 2 levels online (algo/smurf), rest offline
|-
| [http://pentesteracademylab.appspot.com Pentester Academy]
|
|
|
|-
| [http://testhtml5.vulnweb.com/ Security Tweets]
|
| Acunetix
| HTML5
|-
| [http://vicnum.ciphertechs.com Vicnum Project]
| Perl & PHP
|
|
|-
| [http://www.webscantest.com Web Scanner Test Site]
|
| NTOSpider
| (testuser/testpass)
|-
| [http://blasze.com/xsstestsuite/ XSS Test Suite]
|
|
|
|-
| [http://zero.webappsecurity.com/ Zero Bank]
|
| HP/SpiDynamics
| (admin/admin)
|-
|}

Category:Vulnerability Scanning Tools

2015-12-29T18:44:53Z

A sriram:

== Description ==

Web Application Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. A large number of both commercial and open source tools are available and and all these tools have their own strengths and weaknesses.

Here we will provide a listing of vulnerability scanning tools currently available in the market. The plan is to extend this listing to provide information about each tool's strengths and weaknesses to enable you to make an informed decision about the selection of a particular tool to meet your requirements.

 '''Disclaimer:''' The tools listing in the table below has been presented in an alphabetical order. OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to put this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

 

== Tools Listing ==

{{:Template:OWASP Tool Headings}}
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www-01.ibm.com/software/rational/offerings/websecurity/ AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}
|
{{OWASP Tool Info || tool_name = [http://www.beyondsecurity.com/avds AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = N/A }}
|
{{OWASP Tool Info || tool_name = [http://www.buguroo.com BugBlast] || tool_owner = Buguroo Offensive Security || tool_licence = Commercial || tool_platforms = SaaS or On-Premises }}
|
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}
|
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises }}
|
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}
|
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}
|
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}
|
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/indusguard-web IndusGuard Web] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}
|
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}
|
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}
|
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}
|
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}
|
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}
|
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}
|
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}
|
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}
|
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}
|
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}
|
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}
|
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|}

== References ==

*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
*https://buildsecurityin.us-cert.gov/daisy/bsi/articles/tools/black-box/261-BSI.html#dsy261-BSI_Evaluation-Criteria
*http://www.uml.org.cn/Test/12/Automated%20Testing%20Tool%20Evaluation%20Matrix.pdf
*http://securityinnovation.com/security-report/October/vulnScanners15.htm
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
*http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
*http://www.softwareqatest.com/qatweb1.html
*http://www.proactiverisk.com/tools-page

[[Category:OWASP_Tools_Project]]

Phoenix/Tools

2015-12-29T18:41:02Z

A sriram:

Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

=Testing grounds=
==LiveCDs==
OWASP Live CD - http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project 
Web Security Dojo - http://dojo.mavensecurity.com/ 
Samurai WTF - http://samurai.inguardians.com 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 
moth - http://www.bonsai-sec.com/en/research/moth.php 
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/ 
Hacking-Lab Live CD - https://www.hacking-lab.com/Remote_Sec_Lab/livecd.html 

==Test sites==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Trustwave (formerly Cenzic) (live) - http://crackme.trustwave.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp 
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 
Google’s web application training - http://jarlsberg.appspot.com/part1/ 
OWASP TOP 10 LAB (Online) - https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html 

=External Assessment=
==Browser==
===Add-ons for Firefox that help with general web application security===
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

===Browser-based HTTP tampering / editing / replaying===
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

===Add-ons for Firefox that help with Javascript and Ajax web application security===
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

===Bookmarklets that aid in web application security===
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

===Footprinting for web application security===
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Tools==
===SSL certificate checking / scanning===
SSL Labs - https://www.ssllabs.com/ssldb/ 
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 
testssl.sh - http://drwetter.eu/software/ssl/ 
[[O-Saft]] - OWASP SSL audit for testers: list information about and test remote SSL certificate and connection [https://github.com/OWASP/O-Saft/archive/master.zip Download] 

===HTTP proxying / editing===
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp Suite - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 
Ratproxy - http://code.google.com/p/ratproxy/ 
Arachni - https://github.com/Zapotek/arachni/ 
WATOBO - http://watobo.sourceforge.net/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz 
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 
fuzzdb - https://code.google.com/p/fuzzdb/ 

===HTTP general testing / fingerprinting===
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
Websecurify - http://www.websecurify.com 
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
twill - http://twill.idyll.org/ 
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip ([http://www.stoev.org/elza.html dead link]) 
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox 

===== dead, vanished links (March/2012) =====
Mumsie - http://www.secureworks.com/research/tools/mumsie/ ([http://www.lurhq.com/tools/mumsie.html dead link]) 
Torture.pl Home Page - source probably here http://www.foo.be/docs/tpj/issues/vol2_4/tpj0204-0002.html ([http://stein.cshl.org/~lstein/torture/ dead link]) 

===Cookie editing / poisoning===
[TGZ] stompy: session id tool - http://freecode.com/projects/stompy ([http://lcamtuf.coredump.cx/stompy.tgz old link]) 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 
Cookie Safe - https://addons.mozilla.org/de/firefox/addon/2497/ 

==Fuzzer==
===Browser-based security fuzzing / checking===
Zalewski's MangleMe - http://freecode.com/projects/mangleme tool see here http://lcamtuf.coredump.cx/soft/mangleme.tgz ([http://lcamtuf.coredump.cx/mangleme/mangle.cgi mangle.cgi dead link]) 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzzer.com/ ([http://peachfuzz.sourceforge.net old link])/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - https://github.com/dzzie/COMRaider ([http://labs.idefense.com dead link]) 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.adamlock.com/mozilla/ ([http://www.iol.ie/~locka/mozilla/mozilla.htm old link]) 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285 

===== dead, vanished links (March/2012) =====
bcheck - http://bcheck.scanit.be/bcheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - <nowiki>http://linkscanner.explabs.com/linkscanner/default.asp</nowiki> (seems to be a vendor link now) 

===Application and protocol fuzzing (random instead of targeted)===
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 

===== dead, vanished links (March/2012) =====
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==3rd party services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

=Server side stuff=
==PHP static analysis and file inclusion scanning==
Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/ 
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==PHP Defensive Tools==
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/ 
Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey 
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools - http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip 
PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) - http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip, http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip 
php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) - http://code.google.com/p/ddos-shield/ 
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip, http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

=Code=
==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ 
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html 
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
* Visual Studio 2008 Code Analysis, available in:
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
* Visual Studio 2005 Code Analyzer, available in:
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
* FxCop:
** (blog) http://blogs.msdn.com/fxcop/
** (download) http://code.msdn.microsoft.com/codeanalysis
* Microsoft internal tools you can't have yet:
** http://www.microsoft.com/windows/cse/pa_projects.mspx
** http://research.microsoft.com/Pex/
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

=Database security assessment=
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

=Threat modeling=
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

=Misc=

==RSS extensions and caching==
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 
Analytics seo - http://www.analyticsseo.com/ 

==Web application security malware, backdoors, and evil code==
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.beefproject.com 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

=Browser Privacy/ Defenses=

==Browser Defenses==
Adblock Plus (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/ 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey 

==Browser Privacy==
BetterPrivacy (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ 
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/ 
Privacy Bird - http://www.privacybird.com/ 
HTTPS Everywhere - https://www.eff.org/https-everywhere

OWASP Vulnerable Web Applications Directory Project/Pages/Online

2015-12-29T18:39:18Z

A sriram:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Author
! scope="col" | Notes
|-
| [http://testphp.vulnweb.com Acuart]
| PHP
| Acunetix
| Art shopping
|-
| [http://testaspnet.vulnweb.com/ Acublog]
| .NET
| Acunetix
| Blog
|-
| [http://testasp.vulnweb.com/ Acuforum]
| ASP
| Acunetix
| Forum
|-
| [http://demo.testfire.net/ Altoro Mutual]
|
| IBM/Watchfire
| (jsmith/Demo1234)
|-
| [http://crackme.trustwave.com/ Crack Me Bank]
|
| Trustwave (Formerly Cenzic)
|
|-
| [http://enigmagroup.org/ Enigma Group]
|
| Enigma Group
|
|-
| [http://google-gruyere.appspot.com/ Gruyere]
| Python
| Google
|
|-
| [https://public-firing-range.appspot.com/ Firing Range]
|
| Google
| [https://github.com/google/firing-range Source code]
|-
| [http://hackademic1.teilar.gr Hackademic Challenges Project]
| PHP - Joomla
| OWASP
|
|-
| [http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ Hacker Challenge]
|
| PCTechtips
|
|-
| [http://hackazon.webscantest.com/ Hackazon]
| AJAX, JSON, XML, GwT, AMF
| NTObjectives
| [http://www.ntobjectives.com/hackazon/ Project page]
|-
| [https://www.hacking-lab.com/events/registerform.html?eventid=245 Hacking Lab]
|
| Hacking Lab
|
|-
| [https://hack.me Hack.me]
|
| eLearnSecurity
| Beta
|-
| [http://www.hackthissite.org HackThisSite]
|
| HackThisSite
| Basic & Realistic (web) Missions
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
| First 2 levels online (algo/smurf), rest offline
|-
| [http://pentesteracademylab.appspot.com Pentester Academy]
|
|
|
|-
| [http://testhtml5.vulnweb.com/ Security Tweets]
|
| Acunetix
| HTML5
|-
| [http://vicnum.ciphertechs.com Vicnum Project]
| Perl & PHP
|
|
|-
| [http://www.webscantest.com Web Scanner Test Site]
|
| NTOSpider
| (testuser/testpass)
|-
| [http://blasze.com/xsstestsuite/ XSS Test Suite]
|
|
|
|-
| [http://zero.webappsecurity.com/ Zero Bank]
|
| HP/SpiDynamics
| (admin/admin)
|-
|}

Appendix A: Testing Tools

2015-12-29T18:37:06Z

A sriram:

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===
* '''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]'''
**The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
**ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
* '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties
* '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
* '''Subgraph Vega''' - http://www.subgraph.com/products.html
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''

==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad

==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx

==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
* Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker
* Metasploit - http://www.metasploit.com/
** A rapid exploit development and Testing frame work

==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Bishop Fox's Google Hacking Diggity Project - http://www.bishopfox.com/resources/tools/google-hacking-diggity/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==
* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Trustwave App Scanner (Formerly Cenzic Hailstorm) - https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* IndusGuard Web - https://www.indusface.com/index.php/products/indusguard-web
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - http://h3xstream.github.io/find-sec-bugs/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/
* phpcs-security-audit - https://github.com/Pheromone/phpcs-security-audit

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com
* Armorize CodeSecure - http://www.armorize.com/codesecure/

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

[[Category:SAMM-CR-2]]