This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Phoenix/Tools"
(Java ORM Playground added) (Tag: Visual edit) |
|||
| (78 intermediate revisions by 24 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Please send comments or questions to the Phoenix-OWASP mailing-list. | + | Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list]. |
| − | + | ||
| − | + | =Testing grounds= | |
| − | + | ==LiveCDs== | |
| − | + | OWASP Live CD - http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br /> | |
| − | + | Web Security Dojo - http://dojo.mavensecurity.com/<br /> | |
| − | + | Samurai WTF - http://samurai.inguardians.com<br /> | |
| − | + | DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /> | |
| − | + | moth - http://www.bonsai-sec.com/en/research/moth.php<br /> | |
| − | + | OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br /> | |
| − | + | Hacking-Lab Live CD - https://www.hacking-lab.com/Remote_Sec_Lab/livecd.html<br /> | |
| − | + | ||
| − | + | ==Test sites== | |
| − | + | SPI Dynamics (live) - http://zero.webappsecurity.com/<br /> | |
| − | + | Trustwave (live) - http://crackme.trustwave.com/<br /> | |
| − | + | Watchfire (live) - http://demo.testfire.net/<br /> | |
| − | + | Acunetix (live) - http://testphp.vulnweb.com/ http://testasp.vulnweb.com http://testaspnet.vulnweb.com<br /> | |
| − | + | WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /> | |
| − | + | Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /> | |
| − | + | Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /> | |
| − | + | OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /> | |
| − | + | OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /> | |
| − | + | Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /> | |
| − | + | SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /> | |
| − | + | Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /> | |
| − | + | OWASP TOP 10 LAB (Online) - https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html | |
| − | + | ||
| − | + | Java ORM Testing Playground - https://github.com/0ang3el/HQLi-playground | |
| − | + | ||
| − | + | <br /> | |
| − | + | ||
| − | + | =External Assessment= | |
| − | + | ==Browser== | |
| − | + | ===Add-ons for Firefox that help with general web application security=== | |
| − | + | Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /> | |
| − | + | Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /> | |
| − | + | XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /> | |
| − | + | Public Fox - https://addons.mozilla.org/firefox/3911/<br /> | |
| − | + | XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /> | |
| − | + | MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /> | |
| − | + | Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /> | |
| − | + | IE Tab - https://addons.mozilla.org/firefox/1419/<br /> | |
| − | + | User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /> | |
| − | + | ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /> | |
| − | + | HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /> | |
| − | + | RefControl - https://addons.mozilla.org/firefox/953/<br /> | |
| − | + | refspoof - https://addons.mozilla.org/firefox/667/<br /> | |
| − | + | No-Referrer - https://addons.mozilla.org/firefox/1999/<br /> | |
| − | + | LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /> | |
| − | + | SpiderZilla - http://spiderzilla.mozdev.org/<br /> | |
| − | + | Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /> | |
| − | + | Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /> | |
| − | + | ||
| − | + | ===Browser-based HTTP tampering / editing / replaying=== | |
| − | + | TamperIE - http://www.bayden.com/Other/<br /> | |
| − | + | isr-form - http://www.infobyte.com.ar/developments.html<br /> | |
| − | + | Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /> | |
| − | + | Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /> | |
| − | + | UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /> | |
| − | + | TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /> | |
| − | + | DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /> | |
| − | + | LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /> | |
| − | + | ||
| − | + | ===Add-ons for Firefox that help with Javascript and Ajax web application security=== | |
| − | + | Selenium IDE - http://www.openqa.org/selenium-ide/<br /> | |
| − | + | Firebug - http://www.joehewitt.com/software/firebug/<br /> | |
| − | + | Venkman - http://www.mozilla.org/projects/venkman/<br /> | |
| − | + | Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /> | |
| − | + | Greasemonkey - http://www.greasespot.net/<br /> | |
| − | + | Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /> | |
| − | + | User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /> | |
| − | + | Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /> | |
| − | + | Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /> | |
| − | + | ||
| − | + | ===Bookmarklets that aid in web application security=== | |
| − | + | RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /> | |
| − | + | BMlets - http://optools.awardspace.com/bmlet.html<br /> | |
| − | + | Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /> | |
| − | + | Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide | |
| − | <br/ > | + | rich functionality - http://www.blummy.com/<br /> |
| − | + | Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /> | |
| − | + | Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /> | |
| − | + | OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /> | |
| − | + | ||
| − | + | ===Footprinting for web application security=== | |
| − | + | Evolution - http://www.paterva.com/evolution-e.html<br /> | |
| − | + | GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /> | |
| − | + | Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /> | |
| − | + | Edge-Security tools - http://www.edge-security.com/soft.php<br /> | |
| − | <br/ > | + | Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /> |
| − | + | Googlegath - http://www.nothink.org/perl/googlegath/<br /> | |
| − | + | Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /> | |
| − | + | Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /> | |
| − | + | CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /> | |
| − | + | BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /> | |
| − | + | TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /> | |
| − | + | DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /> | |
| − | + | Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /> | |
| − | + | ||
| − | + | ==Tools== | |
| − | + | ===SSL certificate checking / scanning=== | |
| − | + | SSL Labs - https://www.ssllabs.com/ssldb/<br /> | |
| − | + | [ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /> | |
| − | + | [ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /> | |
| − | + | Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /> | |
| − | + | testssl.sh - http://drwetter.eu/software/ssl/<br /> | |
| − | + | [[O-Saft]] - OWASP SSL audit for testers: list information about and test remote SSL certificate and connection [https://github.com/OWASP/O-Saft/archive/master.zip Download] <br /> | |
| − | + | ||
| − | + | ===HTTP proxying / editing=== | |
| − | + | WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /> | |
| − | + | Burp Suite - http://www.portswigger.net/<br /> | |
| − | + | Paros - http://www.parosproxy.org/<br /> | |
| − | + | Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br /> | |
| − | <br/ > | + | Paros fork #2: Andiparos - http://code.google.com/p/andiparos/<br /> |
| − | < | + | Fiddler - http://www.fiddlertool.com/<br /> |
| − | + | Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /> | |
| − | + | Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /> | |
| − | + | Suru - http://www.sensepost.com/research/suru/<br /> | |
| − | + | httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /> | |
| − | + | Charles - http://www.xk72.com/charles/<br /> | |
| − | + | Odysseus - http://www.bindshell.net/tools/odysseus<br /> | |
| − | + | Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /> | |
| − | + | Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /> | |
| − | + | JS Commander - http://jscmd.rubyforge.org/<br /> | |
| − | + | Ratproxy - http://code.google.com/p/ratproxy/<br /> | |
| − | + | Arachni - https://github.com/Zapotek/arachni/<br /> | |
| − | + | WATOBO - http://watobo.sourceforge.net/<br /> | |
| − | + | ||
| − | + | ==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools== | |
| − | + | Wfuzz - http://www.edge-security.com/wfuzz.php<br /> | |
| − | + | ProxMon - http://www.isecpartners.com/proxmon.html<br /> | |
| − | + | Wapiti - http://wapiti.sourceforge.net/<br /> | |
| − | + | Grabber - http://rgaucher.info/beta/grabber/<br /> | |
| − | + | XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /> | |
| − | + | CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /> | |
| − | + | EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /> | |
| − | + | HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /> | |
| − | + | JBroFuzz - http://www.owasp.org/index.php/JBroFuzz<br /> | |
| − | + | J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah<br /> | |
| − | + | XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /> | |
| − | + | WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /> | |
| − | + | Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /> | |
| − | <br/ > | + | [TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /> |
| − | + | RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /> | |
| − | + | screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /> | |
| − | + | SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /> | |
| − | + | RFuzz - http://rfuzz.rubyforge.org/<br /> | |
| − | + | WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /> | |
| − | + | TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /> | |
| − | + | ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /> | |
| − | + | WSTool - http://wstool.sourceforge.net/<br /> | |
| − | + | Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /> | |
| − | + | Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /> | |
| − | <br/ > | + | HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /> |
| − | + | Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /> | |
| − | + | PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /> | |
| − | + | fuzzdb - https://code.google.com/p/fuzzdb/<br /> | |
| − | + | ||
| − | + | ===HTTP general testing / fingerprinting=== | |
| − | + | Wbox: HTTP testing tool - http://hping.org/wbox/<br /> | |
| − | + | ht://Check - http://htcheck.sourceforge.net/<br /> | |
| − | + | WebInject - http://www.webinject.org/<br /> | |
| − | + | Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /> | |
| − | + | JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /> | |
| − | + | OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /> | |
| − | + | Load-balancing detector - http://ge.mine.nu/lbd.html<br /> | |
| − | + | HMAP - http://ujeni.murkyroc.com/hmap/<br /> | |
| − | + | Net-Square: httprint - http://net-square.com/httprint/<br /> | |
| − | + | Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /> | |
| − | + | Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /> | |
| − | + | hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /> | |
| − | + | rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /> | |
| − | + | Nikto - http://www.cirt.net/code/nikto.shtml<br /> | |
| − | + | Websecurify - http://www.websecurify.com<br /> | |
| − | + | W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /> | |
| − | + | twill - http://twill.idyll.org/<br /> | |
| − | + | DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /> | |
| − | + | [ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /> | |
| − | + | [ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip ([http://www.stoev.org/elza.html dead link])<br /> | |
| − | + | HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox <br /> | |
| − | + | ||
| − | + | ===== dead, vanished links (March/2012) ===== | |
| − | + | Mumsie - http://www.secureworks.com/research/tools/mumsie/ ([http://www.lurhq.com/tools/mumsie.html dead link])<br /> | |
| − | + | Torture.pl Home Page - source probably here http://www.foo.be/docs/tpj/issues/vol2_4/tpj0204-0002.html ([http://stein.cshl.org/~lstein/torture/ dead link])<br /> | |
| − | + | ||
| − | + | ===Cookie editing / poisoning=== | |
| − | + | [TGZ] stompy: session id tool - http://freecode.com/projects/stompy ([http://lcamtuf.coredump.cx/stompy.tgz old link])<br /> | |
| − | + | Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /> | |
| − | + | CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /> | |
| − | + | CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /> | |
| − | + | CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /> | |
| − | + | Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /> | |
| − | + | Cookie Safe - https://addons.mozilla.org/de/firefox/addon/2497/ <br /> | |
| − | + | ||
| − | + | ==Fuzzer== | |
| − | + | ===Browser-based security fuzzing / checking=== | |
| − | + | Zalewski's MangleMe - http://freecode.com/projects/mangleme tool see here http://lcamtuf.coredump.cx/soft/mangleme.tgz ([http://lcamtuf.coredump.cx/mangleme/mangle.cgi mangle.cgi dead link]) <br /> | |
| − | + | hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /> | |
| − | + | Peach Fuzzer Framework - http://peachfuzzer.com/ ([http://peachfuzz.sourceforge.net old link])/<br /> | |
| − | + | TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /> | |
| − | + | PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /> | |
| − | + | COMRaider - https://github.com/dzzie/COMRaider ([http://labs.idefense.com dead link])<br /> | |
| − | + | BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /> | |
| − | <br/ > | + | Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /> |
| − | < | + | Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /> |
| − | + | Mozilla Activex - http://www.adamlock.com/mozilla/ ([http://www.iol.ie/~locka/mozilla/mozilla.htm old link])<br /> | |
| − | + | Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /> | |
| − | + | Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /> | |
| − | + | WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br /> | |
| − | + | ||
| − | + | ===== dead, vanished links (March/2012) ===== | |
| − | + | bcheck - http://bcheck.scanit.be/bcheck/<br /> | |
| − | + | Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /> | |
| − | + | Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /> | |
| − | + | Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /> | |
| − | + | About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /> | |
| − | + | Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /> | |
| − | + | LinkScanner - <nowiki>http://linkscanner.explabs.com/linkscanner/default.asp</nowiki> (seems to be a vendor link now)<br /> | |
| − | + | ||
| − | + | ===Application and protocol fuzzing (random instead of targeted)=== | |
| − | + | Sulley - http://fuzzing.org/<br /> | |
| − | + | taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /> | |
| − | + | zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /> | |
| − | + | autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /> | |
| − | + | ||
| − | + | ===== dead, vanished links (March/2012) ===== | |
| − | + | EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /> | |
| − | + | ||
| − | + | ==Ajax and XHR scanning== | |
| − | + | Sahi - http://sahi.co.in/<br /> | |
| − | + | scRUBYt - http://scrubyt.org/<br /> | |
| − | + | jQuery - http://jquery.com/<br /> | |
| − | + | jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /> | |
| − | + | Sprajax - http://www.denimgroup.com/sprajax.html<br /> | |
| − | + | Watir - http://wtr.rubyforge.org/<br /> | |
| − | + | Watij - http://watij.com/<br /> | |
| − | + | Watin - http://watin.sourceforge.net/<br /> | |
| − | + | RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /> | |
| − | + | SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /> | |
| − | + | Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /> | |
| − | <br/ > | + | Firebug Lite - http://www.getfirebug.com/lite.html<br /> |
| − | + | firewaitr - http://code.google.com/p/firewatir/<br /> | |
| − | + | ||
| − | + | ==SQL injection scanning== | |
| − | + | 0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /> | |
| − | Microsoft | + | SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /> |
| − | + | sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /> | |
| − | <br/ > | + | JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /> |
| − | + | BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /> | |
| − | + | sqlmap - http://sqlmap.sourceforge.net/<br /> | |
| − | + | Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /> | |
| − | + | FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /> | |
| − | <br/ > | + | PRIAMOS - http://www.priamos-project.com/<br /> |
| − | + | ||
| − | + | ==Web services enumeration / scanning / fuzzing== | |
| − | + | WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /> | |
| − | + | Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /> | |
| − | + | WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /> | |
| − | + | SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /> | |
| − | + | iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /> | |
| − | + | ||
| − | + | ==3rd party services that aid in web application security assessment== | |
| − | + | Netcraft - http://www.netcraft.net<br /> | |
| − | + | AboutURL - http://www.abouturl.com/<br /> | |
| − | + | The Scrutinizer - http://www.scrutinizethis.com/<br /> | |
| − | + | net.toolkit - http://clez.net/<br /> | |
| − | + | ServerSniff - http://www.serversniff.net/<br /> | |
| − | + | Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /> | |
| − | + | Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /> | |
| − | + | myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /> | |
| − | + | PHP charset encoding - http://h4k.in/encoding<br /> | |
| − | + | data: URL testcases - http://h4k.in/dataurl<br /> | |
| − | + | ||
| − | + | ||
| − | + | =Server side stuff= | |
| − | + | ==PHP static analysis and file inclusion scanning== | |
| − | + | Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/<br /> | |
| − | + | PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /> | |
| − | + | Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /> | |
| − | + | FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br /> | |
| − | + | PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /> | |
| − | + | ||
| − | + | ==PHP Defensive Tools== | |
| − | + | PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/ <br /> | |
| − | + | Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey <br /> | |
| − | + | Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools - http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip <br /> | |
| − | + | PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) - http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip, http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip <br /> | |
| − | + | php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) - http://code.google.com/p/ddos-shield/ <br /> | |
| − | + | PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip, http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar <br /> | |
| − | <br/ > | + | |
| − | + | ==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources== | |
| − | + | APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /> | |
| − | + | PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /> | |
| − | + | dotnetids - http://code.google.com/p/dotnetids/<br /> | |
| − | + | Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /> | |
| − | + | Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /> | |
| − | + | GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /> | |
| − | <br/ > | + | The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /> |
| − | + | mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /> | |
| − | + | Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /> | |
| − | + | [TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /> | |
| − | + | AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /> | |
| − | + | Akismet: blog spam defense - http://akismet.com/<br /> | |
| − | + | Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /> | |
| − | + | ||
| − | + | ||
| − | + | =Code= | |
| − | + | ==Web application non-specific static source-code analysis== | |
| − | + | Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /> | |
| − | + | Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /> | |
| − | + | Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /> | |
| − | + | An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /> | |
| − | + | A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /> | |
| − | + | A smaller, but also good list - http://spinroot.com/static/<br /> | |
| − | + | Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /> | |
| − | + | ||
| − | + | ==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications== | |
| − | + | RATS - http://www.securesoftware.com/resources/download_rats.html<br /> | |
| − | + | ITS4 - http://www.cigital.com/its4/<br /> | |
| − | + | FlawFinder - http://www.dwheeler.com/flawfinder/<br /> | |
| − | + | Splint - http://www.splint.org/<br /> | |
| − | + | Uno - http://spinroot.com/uno/<br /> | |
| − | + | BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /> | |
| − | + | Valgrind - http://www.valgrind.org/<br /> | |
| − | + | ||
| − | + | ==Java static analysis, security frameworks, and web application security tools== | |
| − | + | LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br /> | |
| − | + | CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br /> | |
| − | + | HDIV Struts - http://hdiv.org/<br /> | |
| − | + | Orizon - http://sourceforge.net/projects/orizon/<br /> | |
| − | + | FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /> | |
| − | + | PMD - http://pmd.sourceforge.net/<br /> | |
| − | + | CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /> | |
| − | + | EMMA - http://emma.sourceforge.net/<br /> | |
| − | + | JLint - http://jlint.sourceforge.net/<br /> | |
| − | + | Java PathFinder - http://javapathfinder.sourceforge.net/<br /> | |
| − | + | Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /> | |
| − | + | Checkstyle - http://checkstyle.sourceforge.net/<br /> | |
| − | + | Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /> | |
| − | + | tinapoc - http://sourceforge.net/projects/tinapoc<br /> | |
| − | + | jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /> | |
| − | + | Solex - http://solex.sourceforge.net/<br /> | |
| − | + | Java Explorer - http://metal.hurlant.com/jexplore/<br /> | |
| − | + | HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /> | |
| − | + | another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /> | |
| − | + | a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /> | |
| − | + | ||
| + | ==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET== | ||
| + | * Visual Studio 2008 Code Analysis, available in: | ||
| + | ** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and | ||
| + | ** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx) | ||
| + | * Visual Studio 2005 Code Analyzer, available in: | ||
| + | ** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx) | ||
| + | ** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx) | ||
| + | * Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx | ||
| + | * FxCop: | ||
| + | ** (blog) http://blogs.msdn.com/fxcop/ | ||
| + | ** (download) http://code.msdn.microsoft.com/codeanalysis | ||
| + | * Microsoft internal tools you can't have yet: | ||
| + | ** http://www.microsoft.com/windows/cse/pa_projects.mspx | ||
| + | ** http://research.microsoft.com/Pex/ | ||
| + | ** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /> | ||
| + | |||
| + | |||
| + | =Database security assessment= | ||
| + | Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /> | ||
| + | |||
| + | |||
| + | =Threat modeling= | ||
| + | Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /> | ||
| + | Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /> | ||
| + | Octotrike - http://www.octotrike.org/<br /> | ||
| + | |||
| + | |||
| + | =Misc= | ||
| + | |||
| + | ==RSS extensions and caching== | ||
| + | rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /> | ||
| + | |||
| + | ==Blackhat SEO and maybe some whitehat SEO== | ||
| + | SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /> | ||
| + | SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /> | ||
| + | SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /> | ||
| + | Analytics seo - http://www.analyticsseo.com/<br /> | ||
| + | |||
| + | ==Web application security malware, backdoors, and evil code== | ||
| + | Jikto - http://busin3ss.name/jikto-in-the-wild/<br /> | ||
| + | XSS Shell - http://ferruh.mavituna.com/article/?1338<br /> | ||
| + | XSS-Proxy - http://xss-proxy.sourceforge.net<br /> | ||
| + | AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /> | ||
| + | FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /> | ||
| + | HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /> | ||
| + | BeEF - http://www.beefproject.com<br /> | ||
| + | Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /> | ||
| + | What is my IP address? - http://reglos.de/myaddress/<br /> | ||
| + | xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /> | ||
| + | SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /> | ||
| + | Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /> | ||
| + | Technika - http://www.gnucitizen.org/projects/technika/<br /> | ||
| + | Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /> | ||
| + | MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /> | ||
| + | |||
| + | ==Honeyclients, Web Application, and Web Proxy honeypots== | ||
| + | Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /> | ||
| + | HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /> | ||
| + | Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /> | ||
| + | Google Hack Honeypot - http://ghh.sourceforge.net/<br /> | ||
| + | PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /> | ||
| + | SpyBye - http://www.monkey.org/~provos/spybye/<br /> | ||
| + | Honeytokens - http://www.securityfocus.com/infocus/1713<br /> | ||
| + | |||
| + | =Browser Privacy/ Defenses= | ||
| + | |||
| + | ==Browser Defenses== | ||
| + | Adblock Plus (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/<br /> | ||
| + | NoScript (Firefox Add-on) - http://www.noscript.net/<br /> | ||
| + | DieHard - http://www.diehard-software.org/<br /> | ||
| + | LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /> | ||
| + | NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /> | ||
| + | FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /> | ||
| + | FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /> | ||
| + | SafeCache (Firefox Add-on) - http://www.safecache.com/<br /> | ||
| + | SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /> | ||
| + | PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /> | ||
| + | All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /> | ||
| + | Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /> | ||
| + | FireKeeper - http://firekeeper.mozdev.org/<br /> | ||
| + | Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br /> | ||
| + | |||
| + | ==Browser Privacy== | ||
| + | BetterPrivacy (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/<br /> | ||
| + | TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/<br /> | ||
| + | Privacy Bird - http://www.privacybird.com/<br /> | ||
| + | HTTPS Everywhere - https://www.eff.org/https-everywhere<br /> | ||
Latest revision as of 15:27, 18 October 2017
Please send comments or questions to the Phoenix-OWASP mailing-list.
- 1 Testing grounds
- 2 External Assessment
- 2.1 Browser
- 2.1.1 Add-ons for Firefox that help with general web application security
- 2.1.2 Browser-based HTTP tampering / editing / replaying
- 2.1.3 Add-ons for Firefox that help with Javascript and Ajax web application security
- 2.1.4 Bookmarklets that aid in web application security
- 2.1.5 Footprinting for web application security
- 2.2 Tools
- 2.3 RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
- 2.4 Fuzzer
- 2.5 Ajax and XHR scanning
- 2.6 SQL injection scanning
- 2.7 Web services enumeration / scanning / fuzzing
- 2.8 3rd party services that aid in web application security assessment
- 2.1 Browser
- 3 Server side stuff
- 4 Code
- 4.1 Web application non-specific static source-code analysis
- 4.2 Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
- 4.3 Java static analysis, security frameworks, and web application security tools
- 4.4 Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
- 5 Database security assessment
- 6 Threat modeling
- 7 Misc
- 8 Browser Privacy/ Defenses
Testing grounds
LiveCDs
OWASP Live CD - http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
Web Security Dojo - http://dojo.mavensecurity.com/
Samurai WTF - http://samurai.inguardians.com
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/
moth - http://www.bonsai-sec.com/en/research/moth.php
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/
Hacking-Lab Live CD - https://www.hacking-lab.com/Remote_Sec_Lab/livecd.html
Test sites
SPI Dynamics (live) - http://zero.webappsecurity.com/
Trustwave (live) - http://crackme.trustwave.com/
Watchfire (live) - http://demo.testfire.net/
Acunetix (live) - http://testphp.vulnweb.com/ http://testasp.vulnweb.com http://testaspnet.vulnweb.com
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/
Google’s web application training - http://jarlsberg.appspot.com/part1/
OWASP TOP 10 LAB (Online) - https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html
Java ORM Testing Playground - https://github.com/0ang3el/HQLi-playground
External Assessment
Browser
Add-ons for Firefox that help with general web application security
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/
Public Fox - https://addons.mozilla.org/firefox/3911/
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab - https://addons.mozilla.org/firefox/1419/
User-Agent Switcher - https://addons.mozilla.org/firefox/59/
ServerSwitcher - https://addons.mozilla.org/firefox/2409/
HeaderMonitor - https://addons.mozilla.org/firefox/575/
RefControl - https://addons.mozilla.org/firefox/953/
refspoof - https://addons.mozilla.org/firefox/667/
No-Referrer - https://addons.mozilla.org/firefox/1999/
LocationBar^2 - https://addons.mozilla.org/firefox/4014/
SpiderZilla - http://spiderzilla.mozdev.org/
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter - https://addons.mozilla.org/firefox/3208/
Browser-based HTTP tampering / editing / replaying
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/
Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE - http://www.openqa.org/selenium-ide/
Firebug - http://www.joehewitt.com/software/firebug/
Venkman - http://www.mozilla.org/projects/venkman/
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey - http://www.greasespot.net/
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/
Bookmarklets that aid in web application security
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html
BMlets - http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/
Footprinting for web application security
Evolution - http://www.paterva.com/evolution-e.html
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/
Edge-Security tools - http://www.edge-security.com/soft.php
Fierce Domain Scanner - http://ha.ckers.org/fierce/
Googlegath - http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/
Tools
SSL certificate checking / scanning
SSL Labs - https://www.ssllabs.com/ssldb/
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/
testssl.sh - http://drwetter.eu/software/ssl/
O-Saft - OWASP SSL audit for testers: list information about and test remote SSL certificate and connection Download
HTTP proxying / editing
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp Suite - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/
JS Commander - http://jscmd.rubyforge.org/
Ratproxy - http://code.google.com/p/ratproxy/
Arachni - https://github.com/Zapotek/arachni/
WATOBO - http://watobo.sourceforge.net/
RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz - http://www.edge-security.com/wfuzz.php
ProxMon - http://www.isecpartners.com/proxmon.html
Wapiti - http://wapiti.sourceforge.net/
Grabber - http://rgaucher.info/beta/grabber/
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml
RFuzz - http://rfuzz.rubyforge.org/
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/
WSTool - http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743
fuzzdb - https://code.google.com/p/fuzzdb/
HTTP general testing / fingerprinting
Wbox: HTTP testing tool - http://hping.org/wbox/
ht://Check - http://htcheck.sourceforge.net/
WebInject - http://www.webinject.org/
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp
Nikto - http://www.cirt.net/code/nikto.shtml
Websecurify - http://www.websecurify.com
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
twill - http://twill.idyll.org/
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip (dead link)
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox
dead, vanished links (March/2012)
Mumsie - http://www.secureworks.com/research/tools/mumsie/ (dead link)
Torture.pl Home Page - source probably here http://www.foo.be/docs/tpj/issues/vol2_4/tpj0204-0002.html (dead link)
Cookie editing / poisoning
[TGZ] stompy: session id tool - http://freecode.com/projects/stompy (old link)
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx
Cookie Safe - https://addons.mozilla.org/de/firefox/addon/2497/
Fuzzer
Browser-based security fuzzing / checking
Zalewski's MangleMe - http://freecode.com/projects/mangleme tool see here http://lcamtuf.coredump.cx/soft/mangleme.tgz (mangle.cgi dead link)
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework - http://peachfuzzer.com/ (old link)/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider - https://github.com/dzzie/COMRaider (dead link)
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex - http://www.adamlock.com/mozilla/ (old link)
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285
dead, vanished links (March/2012)
bcheck - http://bcheck.scanit.be/bcheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp (seems to be a vendor link now)
Application and protocol fuzzing (random instead of targeted)
Sulley - http://fuzzing.org/
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/
autodafé: an act of software torture - http://autodafe.sourceforge.net/
dead, vanished links (March/2012)
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html
Ajax and XHR scanning
Sahi - http://sahi.co.in/
scRUBYt - http://scrubyt.org/
jQuery - http://jquery.com/
jquery-include - http://www.gnucitizen.org/projects/jquery-include
Sprajax - http://www.denimgroup.com/sprajax.html
Watir - http://wtr.rubyforge.org/
Watij - http://watij.com/
Watin - http://watin.sourceforge.net/
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/
Firebug Lite - http://www.getfirebug.com/lite.html
firewaitr - http://code.google.com/p/firewatir/
SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS - http://www.priamos-project.com/
Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio
Net-square: wsChess - http://net-square.com/wschess/index.shtml
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html
3rd party services that aid in web application security assessment
Netcraft - http://www.netcraft.net
AboutURL - http://www.abouturl.com/
The Scrutinizer - http://www.scrutinizethis.com/
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding - http://h4k.in/encoding
data: URL testcases - http://h4k.in/dataurl
Server side stuff
PHP static analysis and file inclusion scanning
Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit
PHP Defensive Tools
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/
Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools - http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) - http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip, http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip
php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) - http://code.google.com/p/ddos-shield/
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip, http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids - http://code.google.com/p/dotnetids/
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense - http://akismet.com/
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/
Code
Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list - http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS - http://www.securesoftware.com/resources/download_rats.html
ITS4 - http://www.cigital.com/its4/
FlawFinder - http://www.dwheeler.com/flawfinder/
Splint - http://www.splint.org/
Uno - http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind - http://www.valgrind.org/
Java static analysis, security frameworks, and web application security tools
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html
HDIV Struts - http://hdiv.org/
Orizon - http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/
PMD - http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/
EMMA - http://emma.sourceforge.net/
JLint - http://jlint.sourceforge.net/
Java PathFinder - http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle - http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver
tinapoc - http://sourceforge.net/projects/tinapoc
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex - http://solex.sourceforge.net/
Java Explorer - http://metal.hurlant.com/jexplore/
HTTPClient - http://www.innovation.ch/java/HTTPClient/
another HttpClient - http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
- Visual Studio 2008 Code Analysis, available in:
- VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
- VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
- Visual Studio 2005 Code Analyzer, available in:
- Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
- Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
- Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
- FxCop:
- (blog) http://blogs.msdn.com/fxcop/
- (download) http://code.msdn.microsoft.com/codeanalysis
- Microsoft internal tools you can't have yet:
Database security assessment
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/
Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php
Octotrike - http://www.octotrike.org/
Misc
RSS extensions and caching
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/
Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) - http://www.seoquake.com/
Analytics seo - http://www.analyticsseo.com/
Web application security malware, backdoors, and evil code
Jikto - http://busin3ss.name/jikto-in-the-wild/
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.beefproject.com
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
Technika - http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/
Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/
Google Hack Honeypot - http://ghh.sourceforge.net/
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/
SpyBye - http://www.monkey.org/~provos/spybye/
Honeytokens - http://www.securityfocus.com/infocus/1713
Browser Privacy/ Defenses
Browser Defenses
Adblock Plus (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
NoScript (Firefox Add-on) - http://www.noscript.net/
DieHard - http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/
SafeCache (Firefox Add-on) - http://www.safecache.com/
SafeHistory (Firefox Add-on) - http://www.safehistory.com/
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper - http://firekeeper.mozdev.org/
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey
Browser Privacy
BetterPrivacy (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/
Privacy Bird - http://www.privacybird.com/
HTTPS Everywhere - https://www.eff.org/https-everywhere
