Appendix A: Testing Tools

2009-06-09T00:23:14Z

John Linehan:

{{Template:OWASP Testing Guide v3}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
* SPIKE - http://www.immunitysec.com
* Paros - http://www.parosproxy.org
* Burp Proxy - http://www.portswigger.net
* Achilles Proxy - http://www.mavensecurity.com/achilles
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
* Webstretch Proxy - http://sourceforge.net/projects/webstretch
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
* Grendel-Scan - http://www.grendel-scan.com
* [[:Category:SWFIntruder|OWASP SWFIntruder]]
* http://www.mindedsecurity.com/swfintruder.html

[[Category:FIXME| link not working

* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

]]

=== Testing for specific vulnerabilities ===

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm
* bsqlbf-1.2-th - http://www.514.es

[[Category:FIXME|link not working

* Multiple DBMS Sql Injection tool - SQL Power Injector
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper

]]

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html

[[Category:FIXME|link not working
==== Testing for HTTP Methods ====
* NetCat - http://www.vulnwatch.org/netcat

]]
==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''

==== Googling ====
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

==Commercial Black Box Testing tools==

* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://portswigger.net/intruder
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* WebSleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft WebKing (more QA-type tool)
* MatriXay - http://www.dbappsecurity.com
* N-Stalker Web Application Security Scanner - http://www.nstalker.com

[[Category:FIXME|check these links

* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:
* SPI Dynamics WebInspect - http://www.spidynamics.com
* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===

* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* CodeWizard - http://www.parasoft.com/products/wizard
* Checkmarx CxSuite - http://www.checkmarx.com
* Fortify - http://www.fortifysoftware.com
* GrammaTech - http://www.grammatech.com
* ITS4 - http://www.cigital.com/its4
* Ounce labs Prexis - http://www.ouncelabs.com
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://www.openqa.org/selenium/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

===Binary Analysis===

* BugScam - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html

[[Category:FIXME|check this link

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

]]

OWASP - User contributions [en]

Appendix A: Testing Tools