Difference between revisions of "Appendix A: Testing Tools"

OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/

Fuzzer

OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

Googling

Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

Commercial Black Box Testing tools

Watchfire AppScan - http://www.watchfire.com
Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
SPI Dynamics WebInspect - http://www.spidynamics.com
Burp Intruder - http://portswigger.net/intruder
Acunetix Web Vulnerability Scanner - http://www.acunetix.com/
ScanDo - http://www.kavado.com
WebSleuth - http://www.sandsprite.com
NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
MaxPatrol Security Scanner - http://www.maxpatrol.com/
Ecyware GreenBlue Inspector - http://www.ecyware.com/
Parasoft WebKing (more QA-type tool)

Source Code Analyzers

Open Source / Freeware

http://www.securesoftware.com
FlawFinder - http://www.dwheeler.com/flawfinder
Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
Split - http://splint.org
Boon - http://www.cs.berkeley.edu/~daw/boon
Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

Commercial

Fortify - http://www.fortifysoftware.com
Ounce labs Prexis - http://www.ouncelabs.com
GrammaTech - http://www.grammatech.com
ParaSoft - http://www.parasoft.com
ITS4 - http://www.cigital.com/its4
CodeWizard - http://www.parasoft.com/products/wizard

Other Tools

Site Mirroring

wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
curl - http://curl.haxx.se
Sam Spade - http://www.samspade.org
Xenu - http://home.snafu.de/tilman/xenulink.html

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents

@@ Line 4: / Line 4: @@
-==Black Box Testing tools==
+==Open Source Black Box Testing tools==
-===Open Source===
 * '''OWASP WebScarab''' - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br>
@@ Line 22: / Line 20: @@
 * Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
 * Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
-'''Googling'''<br>
-* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
+=== Testing for specif vulnerabilities ===
 '''Testing AJAX '''<br>
 * OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
-'''Testing SQL Injection '''<br>
+'''Testing for SQL Injection '''<br>
 * OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
 * Multiple DBMS Sql Injection tool - [SQL Power Injector]
@@ Line 34: / Line 33: @@
 * SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
 * Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/<br>
-'''Testing SSL '''<br>
-* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
-'''Fuzzer'''<br>
-* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
 '''Testing Oracle'''
 * TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
 * Toad for Oracle - http://www.quest.com/toad
-'''Testing Brute Force'''
+'''Testing SSL '''<br>
+* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
+'''Testing for Brute Force Password'''
 * THC Hydra - http://www.thc.org/thc-hydra/
 * John the Ripper - http://www.openwall.com/john/
@@ Line 47: / Line 44: @@
 '''Testing for HTTP Methods'''
 * NetCat - http://www.vulnwatch.org/netcat
+'''Testing Buffer Overflow'''
+*  OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
+* Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
+* Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
+* Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/
+'''Fuzzer'''<br>
+* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
+'''Googling'''<br>
+* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
-===Commercial===
+==Commercial Black Box Testing tools==
 * Watchfire AppScan - http://www.watchfire.com
@@ Line 95: / Line 101: @@
 * BugScam - http://sourceforge.net/projects/bugscam
 * BugScan - http://www.hbgary.com
 ===Requirements Management===

Difference between revisions of "Appendix A: Testing Tools"

Revision as of 00:04, 19 November 2006

Open Source Black Box Testing tools

Testing for specif vulnerabilities

Commercial Black Box Testing tools

Source Code Analyzers

Open Source / Freeware

Commercial

Other Tools

Runtime Analysis

Binary Analysis

Requirements Management

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools