This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Appendix A: Testing Tools"
From OWASP
(→OWASP Pantera) |
(→OWASP Pantera) |
||
| Line 14: | Line 14: | ||
=== OWASP Pantera === | === OWASP Pantera === | ||
| − | + | ||
* OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project | * OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project | ||
* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project | * OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project | ||
| Line 20: | Line 20: | ||
* Paros - http://www.proofsecure.com | * Paros - http://www.proofsecure.com | ||
* Burp Proxy - http://www.portswigger.net | * Burp Proxy - http://www.portswigger.net | ||
| − | |||
* Achilles Proxy - http://www.mavensecurity.com/achilles | * Achilles Proxy - http://www.mavensecurity.com/achilles | ||
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/ | * Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/ | ||
* Webstretch Proxy - http://sourceforge.net/projects/webstretch<br> | * Webstretch Proxy - http://sourceforge.net/projects/webstretch<br> | ||
| − | * | + | * Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org |
| − | |||
| − | |||
* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html | * Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html | ||
| − | |||
'''Googling'''<br> | '''Googling'''<br> | ||
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm | * Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm | ||
| + | '''Testing AJAX '''<br> | ||
| + | * OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project | ||
| + | '''Testing SQL Injection '''<br> | ||
| + | * SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz | ||
| + | * Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/<br> | ||
| + | '''Testing SSL '''<br> | ||
| + | * Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm | ||
===Commercial=== | ===Commercial=== | ||
Revision as of 22:51, 18 November 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Black Box Testing tools
Open Source
OWASP WebScarab
OWASP CAL9000
OWASP Pantera
- OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
- OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
- SPIKE - http://www.immunitysec.com
- Paros - http://www.proofsecure.com
- Burp Proxy - http://www.portswigger.net
- Achilles Proxy - http://www.mavensecurity.com/achilles
- Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
- Webstretch Proxy - http://sourceforge.net/projects/webstretch
- Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
- Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
Googling
- Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
Testing AJAX
- OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
Testing SQL Injection
- SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
- Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
Testing SSL
- Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
Commercial
- ScanDo - http://www.kavado.com
- WebSleuth - http://www.sandsprite.com
- SPI Dynamics WebInspect - http://www.spidynamics.com
- Watchfire AppScan - http://www.watchfire.com
- AppSecInc AppDetective for Web Apps
- Cenzic Hailstorm
- NT Objectives NTOSpider
- Acunetix Web Vulnerability Scanner 2
- Compuware DevPartner Fault Simulator
- Fortify Pen Testing Team Tool
- @stake Web Proxy 2.0
- Burp Intruder
- Sandsprite Web Sleuth
- MaxPatrol 7
- Syhunt Sandcat Scanner & Miner
- TrustSecurityConsulting HTTPExplorer
- Ecyware BlueGreen Inspector
- NGS Typhon
- Parasoft WebKing (more QA-type tool)
Source Code Analyzers
Open Source / Freeware
- http://www.securesoftware.com
- FlawFinder - http://www.dwheeler.com/flawfinder
- Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
- Split - http://splint.org
- Boon - http://www.cs.berkeley.edu/~daw/boon
- Pscan - http://www.striker.ottawa.on.ca/~aland/pscan
Commercial
- Fortify - http://www.fortifysoftware.com
- Ounce labs Prexis - http://www.ouncelabs.com
- GrammaTech - http://www.grammatech.com
- ParaSoft - http://www.parasoft.com
- ITS4 - http://www.cigital.com/its4
- CodeWizard - http://www.parasoft.com/products/wizard
Other Tools
Runtime Analysis
- Rational PurifyPlus - http://www-306.ibm.com/software/awdtools
Binary Analysis
- BugScam - http://sourceforge.net/projects/bugscam
- BugScan - http://www.hbgary.com
Requirements Management
- Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
