Difference between revisions of "Appendix A: Testing Tools"

Revision as of 19:53, 14 December 2006 (view source) Inquis (talk | contribs) m ← Older edit		Revision as of 15:59, 3 January 2007 (view source) Mmeucci (talk | contribs) Newer edit →
Line 128:		Line 128:
−	{{Category:OWASP Testing Project AoC}}	+	{{Category:OWASP Testing Project}}

---

Revision as of 15:59, 3 January 2007

[Up]
OWASP Testing Guide v2 Table of Contents

Open Source Black Box Testing tools

• OWASP WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  

• OWASP CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
  
  • CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

• OWASP Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
  

• SPIKE - http://www.immunitysec.com
• Paros - http://www.proofsecure.com
• Burp Proxy - http://www.portswigger.net
• Achilles Proxy - http://www.mavensecurity.com/achilles
• Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
• Webstretch Proxy - http://sourceforge.net/projects/webstretch
  
• Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
• Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

Testing for specific vulnerabilities

Testing AJAX

• OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project

Testing for SQL Injection

• OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
• Multiple DBMS Sql Injection tool - [SQL Power Injector]
• MySql Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
• Antonio Parata: Dump Files by sql inference on Mysql - [SqlDumper]
• Sqlninja: a SQL Server Injection&Takeover Tool - http://sqlninja.sourceforge.net
• Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net/
• Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
  
• SQLInjector - http://www.databasesecurity.com/sql-injector.htm

Testing Oracle

• TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
• Toad for Oracle - http://www.quest.com/toad

Testing SSL

• Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm

Testing for Brute Force Password

• THC Hydra - http://www.thc.org/thc-hydra/
• John the Ripper - http://www.openwall.com/john/
• Brutus - http://www.hoobie.net/brutus/

Testing for HTTP Methods

• NetCat - http://www.vulnwatch.org/netcat

Testing Buffer Overflow

• OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
• Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
• Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
• Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/

Fuzzer

• OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

Googling

• Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

Commercial Black Box Testing tools

• Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
• NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
• Watchfire AppScan - http://www.watchfire.com
• Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
  
• SPI Dynamics WebInspect - http://www.spidynamics.com
• Burp Intruder - http://portswigger.net/intruder
  
• Acunetix Web Vulnerability Scanner - http://www.acunetix.com/
  
• ScanDo - http://www.kavado.com
• WebSleuth - http://www.sandsprite.com
• NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
  
• Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
  
• Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
  
• MaxPatrol Security Scanner - http://www.maxpatrol.com/
  
• Ecyware GreenBlue Inspector - http://www.ecyware.com/
  
• Parasoft WebKing (more QA-type tool)
  

Source Code Analyzers

Open Source / Freeware

• http://www.securesoftware.com
• FlawFinder - http://www.dwheeler.com/flawfinder
• Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
• Split - http://splint.org
• Boon - http://www.cs.berkeley.edu/~daw/boon
• Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

Commercial

• Fortify - http://www.fortifysoftware.com
• Ounce labs Prexis - http://www.ouncelabs.com
• GrammaTech - http://www.grammatech.com
• ParaSoft - http://www.parasoft.com
• ITS4 - http://www.cigital.com/its4
• CodeWizard - http://www.parasoft.com/products/wizard

Acceptance Testing Tools

Acceptance testing tools are used validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

• WATIR - http://wtr.rubyforge.org/ - A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.
• HtmlUnit - http://htmlunit.sourceforge.net/ - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.
• jWebUnit - http://jwebunit.sourceforge.net/ - A Java based meta-framework that uses htmlunit or selenium as the testing engine.
• Canoo Webtest - http://webtest.canoo.com/ - An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.
• HttpUnit - http://httpunit.sourceforge.net/ - One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
• Watij - http://watij.com - A Java implementation of WATIR. Windows only because it uses IE for it's tests (Mozilla integration is in the works).
• Solex - http://solex.sourceforge.net/ - An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
• Selenium - http://www.openqa.org/selenium/ - JavaScript based testing framework, cross-platform and provides a GUI for creating tests. Mature and popular tool, but the use of JavaScript could hamper certain security tests.

Other Tools

Runtime Analysis

• Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

Binary Analysis

• BugScam - http://sourceforge.net/projects/bugscam
• BugScan - http://www.hbgary.com

Requirements Management

• Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

Site Mirroring

• wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
• curl - http://curl.haxx.se
• Sam Spade - http://www.samspade.org
• Xenu - http://home.snafu.de/tilman/xenulink.html

This project is part of the OWASP Breakers community. Feel free to browse other projects within the Defenders, Builders, and Breakers communities.

This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books.

Share this: