This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Phoenix/Tools"
| Line 20: | Line 20: | ||
Charles - http://www.xk72.com/charles/<br/ > | Charles - http://www.xk72.com/charles/<br/ > | ||
Odysseus - http://www.bindshell.net/tools/odysseus<br/ > | Odysseus - http://www.bindshell.net/tools/odysseus<br/ > | ||
| + | Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br/ > | ||
<br/ > | <br/ > | ||
<b>RSnake's XSS cheat sheet based-tools, fuzzing, and encoding tools</b><br/ > | <b>RSnake's XSS cheat sheet based-tools, fuzzing, and encoding tools</b><br/ > | ||
| Line 62: | Line 63: | ||
<b>SQL injection scanning</b><br/ > | <b>SQL injection scanning</b><br/ > | ||
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br/ > | 0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br/ > | ||
| + | SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br/ > | ||
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br/ > | sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br/ > | ||
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br/ > | JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br/ > | ||
| Line 79: | Line 81: | ||
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br/ > | xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br/ > | ||
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br/ > | Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br/ > | ||
| + | MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br/ > | ||
<br/ > | <br/ > | ||
<b>Web application services that aid in web application security assessment</b><br/ > | <b>Web application services that aid in web application security assessment</b><br/ > | ||
| Line 97: | Line 100: | ||
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br/ > | Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br/ > | ||
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br/ > | Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br/ > | ||
| + | Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br/ > | ||
| + | Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br/ > | ||
| + | About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br/ > | ||
| + | Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br/ > | ||
<br/ > | <br/ > | ||
<b>PHP file inclusion scanning</b><br/ > | <b>PHP file inclusion scanning</b><br/ > | ||
| Line 127: | Line 134: | ||
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br/ > | User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br/ > | ||
FlashBlock - http://flashblock.mozdev.org/<br/ > | FlashBlock - http://flashblock.mozdev.org/<br/ > | ||
| + | NoScript - http://www.noscript.net/<br/ > | ||
SeverSwitcher - https://addons.mozilla.org/firefox/2409/<br/ > | SeverSwitcher - https://addons.mozilla.org/firefox/2409/<br/ > | ||
httpOnly in Firefox - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br/ > | httpOnly in Firefox - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br/ > | ||
SafeCache<br/ > | SafeCache<br/ > | ||
SafeHistory<br/ > | SafeHistory<br/ > | ||
| − | PrefBar<br/ > | + | PrefBar - http://prefbar.mozdev.org/<br/ > |
QArchive.org web file checker - https://addons.mozilla.org/firefox/4115/<br/ > | QArchive.org web file checker - https://addons.mozilla.org/firefox/4115/<br/ > | ||
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br/ > | HeaderMonitor - https://addons.mozilla.org/firefox/575/<br/ > | ||
| Line 137: | Line 145: | ||
refspoof - https://addons.mozilla.org/firefox/667/<br/ > | refspoof - https://addons.mozilla.org/firefox/667/<br/ > | ||
no-referrer<br/ > | no-referrer<br/ > | ||
| + | LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br/ > | ||
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br/ > | Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br/ > | ||
<br/ > | <br/ > | ||
| Line 144: | Line 153: | ||
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br/ > | Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br/ > | ||
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br/ > | Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br/ > | ||
| + | RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br/ > | ||
| + | Javascript shell - http://www.squarefree.com/shell/<br/ > | ||
| + | Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br/ > | ||
<br/ > | <br/ > | ||
<b>Java web application security</b><br/ > | <b>Java web application security</b><br/ > | ||
Java Explorer - http://metal.hurlant.com/jexplore/<br/ > | Java Explorer - http://metal.hurlant.com/jexplore/<br/ > | ||
| + | HTTPClient - http://www.innovation.ch/java/HTTPClient/<br/ > | ||
<br/ > | <br/ > | ||
<b>SSL certificate checking / scanning</b><br/ > | <b>SSL certificate checking / scanning</b><br/ > | ||
| Line 153: | Line 166: | ||
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br/ > | Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br/ > | ||
<br/ > | <br/ > | ||
| + | <b>Honeyclients, Web Application, and Web Proxy honeypots</b><br/ > | ||
| + | HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br/ > | ||
| + | Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br/ > | ||
| + | Google Hack Honeypot - http://ghh.sourceforge.net/<br/ > | ||
| + | PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br/ > | ||
| + | <br/ > | ||
| + | <b>Blackhat SEO and maybe some whitehat SEO</b><br/ > | ||
| + | SearchStatus - http://www.quirk.biz/searchstatus/<br/ > | ||
| + | SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br/ > | ||
| + | <br/ > | ||
| + | <b>Footprinting for web application security</b><br/ > | ||
| + | Fierce Domain Scanner - http://ha.ckers.org/fierce/<br/ > | ||
| + | Googlegath - http://www.nothink.org/perl/googlegath/<br/ > | ||
Revision as of 03:19, 22 January 2007
[WIP]
LiveCD
Sunday, January 14, 2007 6:54 AM 817811456 AOC_Labrat-ALPHA-0008.iso - http://www.packetfocus.com/hackos/
Web application scanning
Wapiti - http://wapiti.sourceforge.net/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/
HTTP proxying / editing
Burp - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
RSnake's XSS cheat sheet based-tools, fuzzing, and encoding tools
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://sourceforge.net/projects/jbrofuzz
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Grabber - http://rgaucher.info/beta/grabber/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
MielieTool - http://www.sensepostresearch.com
RFuzz - http://rfuzz.rubyforge.org/
[ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69
HTTP general testing / fingerprinting
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/
Browser-based HTTP tampering / editing
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/development.html
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/
Cookie editing / poisoning
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning
Sprajax - http://www.denimgroup.com/sprajax.html
SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/
Web application security malware, backdoors, and evil code
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.gigahosting.cz/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/
Browser-based security fuzzing / checking
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
COMRaider - http://labs.idefense.com
bcheck - http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1
PHP file inclusion scanning
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit
Web Application Firewall (WAF) rules and resources
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Akismet: blog spam defense - http://akismet.com/
Web services enumeration / scanning / fuzzing
Net-square: wsChess - http://net-square.com/wschess/index.shtml
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
Web application static source-code analysis
Security compass web application auditing tools (SWAAT) - http://www.securitycompass.com/index.html
Add-ons for Firefox that help with general web application security
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/
HackBar - https://addons.mozilla.org/firefox/3899/
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab - https://addons.mozilla.org/firefox/1419/
User-Agent Switcher - https://addons.mozilla.org/firefox/59/
FlashBlock - http://flashblock.mozdev.org/
NoScript - http://www.noscript.net/
SeverSwitcher - https://addons.mozilla.org/firefox/2409/
httpOnly in Firefox - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache
SafeHistory
PrefBar - http://prefbar.mozdev.org/
QArchive.org web file checker - https://addons.mozilla.org/firefox/4115/
HeaderMonitor - https://addons.mozilla.org/firefox/575/
RefControl - https://addons.mozilla.org/firefox/953/
refspoof - https://addons.mozilla.org/firefox/667/
no-referrer
LocationBar^2 - https://addons.mozilla.org/firefox/4014/
Fire Encrypter - https://addons.mozilla.org/firefox/3208/
Add-ons for Firefox that help with Javascript and Ajax web application security
Firebug - http://www.joehewitt.com/software/firebug/
Venkman - http://www.mozilla.org/projects/venkman/
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html
Javascript shell - http://www.squarefree.com/shell/
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/
Java web application security
Java Explorer - http://metal.hurlant.com/jexplore/
HTTPClient - http://www.innovation.ch/java/HTTPClient/
SSL certificate checking / scanning
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/
Honeyclients, Web Application, and Web Proxy honeypots
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/
Google Hack Honeypot - http://ghh.sourceforge.net/
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/
Blackhat SEO and maybe some whitehat SEO
SearchStatus - http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html
Footprinting for web application security
Fierce Domain Scanner - http://ha.ckers.org/fierce/
Googlegath - http://www.nothink.org/perl/googlegath/
