OWASP - User contributions [en]

Phoenix/Tools

2008-05-07T20:18:28Z

Rave: /* RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
Search - http://ebooknetworking.net/ 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
FPE - http://freepdfebooks.wordpress.com/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java -
http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2008-05-07T20:16:22Z

Rave: /* RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
Search - http://ebooknetworking.net/search pdf book tool 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
FPE - http://freepdfebooks.wordpress.com/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java -
http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2008-05-05T08:43:16Z

Rave: /* Java static analysis, security frameworks, and web application security tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
FPE - http://freepdfebooks.wordpress.com/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java -
http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2008-05-05T08:42:08Z

Rave: /* Java static analysis, security frameworks, and web application security tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
FPE - http://freepdfebooks.wordpress.comt/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java -
http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2008-05-05T08:39:58Z

Rave: /* Java static analysis, security frameworks, and web application security tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2008-05-05T08:38:05Z

Rave: /* Java static analysis, security frameworks, and web application security tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
DFP - http://www.downloadfreepdf.com/ 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html