This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Phoenix/Tools"
From OWASP
| Line 3: | Line 3: | ||
Please send comments or questions to the Phoenix-OWASP mailing-list.<br/ > | Please send comments or questions to the Phoenix-OWASP mailing-list.<br/ > | ||
<br/ > | <br/ > | ||
| − | <b> | + | <b>LiveCDs</b><br/ > |
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/<br/ > | Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/<br/ > | ||
| + | DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br/ > | ||
<br/ > | <br/ > | ||
<b>HTTP proxying / editing</b><br/ > | <b>HTTP proxying / editing</b><br/ > | ||
<br/ > | <br/ > | ||
| + | WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br/ > | ||
Burp - http://www.portswigger.net/<br/ > | Burp - http://www.portswigger.net/<br/ > | ||
Paros - http://www.parosproxy.org/<br/ > | Paros - http://www.parosproxy.org/<br/ > | ||
| Line 22: | Line 24: | ||
<b>RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools</b><br/ > | <b>RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools</b><br/ > | ||
<br/ > | <br/ > | ||
| + | ProxMon - http://www.isecpartners.com/proxmon.html<br/ > | ||
Wapiti - http://wapiti.sourceforge.net/<br/ > | Wapiti - http://wapiti.sourceforge.net/<br/ > | ||
Grabber - http://rgaucher.info/beta/grabber/<br/ > | Grabber - http://rgaucher.info/beta/grabber/<br/ > | ||
| Line 35: | Line 38: | ||
RFuzz - http://rfuzz.rubyforge.org/<br/ > | RFuzz - http://rfuzz.rubyforge.org/<br/ > | ||
[ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69<br/ > | [ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69<br/ > | ||
| + | TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br/ > | ||
| + | ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br/ > | ||
WSTool - http://wstool.sourceforge.net/<br/ > | WSTool - http://wstool.sourceforge.net/<br/ > | ||
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br/ > | Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br/ > | ||
| Line 42: | Line 47: | ||
<br/ > | <br/ > | ||
<b>HTTP general testing / fingerprinting</b><br/ > | <b>HTTP general testing / fingerprinting</b><br/ > | ||
| + | ht://Check - http://htcheck.sourceforge.net/<br/ > | ||
| + | Mumsie - http://www.lurhq.com/tools/mumsie.html<br/ > | ||
WebInject - http://www.webinject.org/<br/ > | WebInject - http://www.webinject.org/<br/ > | ||
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br/ > | Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br/ > | ||
| Line 71: | Line 78: | ||
<b>Ajax and XHR scanning</b><br/ > | <b>Ajax and XHR scanning</b><br/ > | ||
Sahi - http://sahi.co.in/<br/ > | Sahi - http://sahi.co.in/<br/ > | ||
| + | scRUBYt - http://scrubyt.org/<br/ > | ||
| + | jQuery - http://jquery.com/<br/ > | ||
Sprajax - http://www.denimgroup.com/sprajax.html<br/ > | Sprajax - http://www.denimgroup.com/sprajax.html<br/ > | ||
Watir - http://wtr.rubyforge.org/<br/ > | Watir - http://wtr.rubyforge.org/<br/ > | ||
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br/ > | RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br/ > | ||
| + | SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br/ > | ||
Firebug Lite - http://www.getfirebug.com/lite.html<br/ > | Firebug Lite - http://www.getfirebug.com/lite.html<br/ > | ||
firewaitr - http://code.google.com/p/firewatir/<br/ > | firewaitr - http://code.google.com/p/firewatir/<br/ > | ||
| Line 87: | Line 97: | ||
<br/ > | <br/ > | ||
<b>Web application security malware, backdoors, and evil code</b><br/ > | <b>Web application security malware, backdoors, and evil code</b><br/ > | ||
| + | Jikto - http://busin3ss.name/jikto-in-the-wild<br/ > | ||
XSS Shell - http://ferruh.mavituna.com/article/?1338<br/ > | XSS Shell - http://ferruh.mavituna.com/article/?1338<br/ > | ||
XSS-Proxy - http://xss-proxy.sourceforge.net<br/ > | XSS-Proxy - http://xss-proxy.sourceforge.net<br/ > | ||
| Line 122: | Line 133: | ||
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br/ > | Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br/ > | ||
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br/ > | Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br/ > | ||
| + | Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br/ > | ||
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br/ > | About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br/ > | ||
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br/ > | Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br/ > | ||
| Line 135: | Line 147: | ||
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br/ > | The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br/ > | ||
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br/ > | mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br/ > | ||
| + | Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br/ > | ||
| + | [TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br/ > | ||
Akismet: blog spam defense - http://akismet.com/<br/ > | Akismet: blog spam defense - http://akismet.com/<br/ > | ||
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br/ > | Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br/ > | ||
| Line 146: | Line 160: | ||
<br/ > | <br/ > | ||
<b>Web application static source-code analysis and threat-modeling</b><br/ > | <b>Web application static source-code analysis and threat-modeling</b><br/ > | ||
| + | Orizon - http://sourceforge.net/projects/orizon/<br/ > | ||
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br/ > | Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br/ > | ||
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br/ > | Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br/ > | ||
| Line 159: | Line 174: | ||
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx<br/ > | Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx<br/ > | ||
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br/ > | FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br/ > | ||
| + | BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/<br/ > | ||
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br/ > | Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br/ > | ||
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br/ > | Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br/ > | ||
<br/ > | <br/ > | ||
| + | Octotrike - http://www.octotrike.org/<br/ > | ||
<b>Add-ons for Firefox that help with general web application security</b><br/ > | <b>Add-ons for Firefox that help with general web application security</b><br/ > | ||
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br/ > | Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br/ > | ||
| Line 181: | Line 198: | ||
<br/ > | <br/ > | ||
<b>Add-ons for Firefox that help with Javascript and Ajax web application security</b><br/ > | <b>Add-ons for Firefox that help with Javascript and Ajax web application security</b><br/ > | ||
| + | Selenium IDE - http://www.openqa.org/selenium-ide/<br/ > | ||
Firebug - http://www.joehewitt.com/software/firebug/<br/ > | Firebug - http://www.joehewitt.com/software/firebug/<br/ > | ||
Venkman - http://www.mozilla.org/projects/venkman/<br/ > | Venkman - http://www.mozilla.org/projects/venkman/<br/ > | ||
| Line 190: | Line 208: | ||
<br/ > | <br/ > | ||
<b>Java web application security</b><br/ > | <b>Java web application security</b><br/ > | ||
| + | Checkstyle - http://checkstyle.sourceforge.net/<br/ > | ||
| + | Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br/ > | ||
| + | tinapoc - http://sourceforge.net/projects/tinapoc<br/ > | ||
| + | jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br/ > | ||
| + | Solex - http://solex.sourceforge.net/<br/ > | ||
Java Explorer - http://metal.hurlant.com/jexplore/<br/ > | Java Explorer - http://metal.hurlant.com/jexplore/<br/ > | ||
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br/ > | HTTPClient - http://www.innovation.ch/java/HTTPClient/<br/ > | ||
| Line 203: | Line 226: | ||
Google Hack Honeypot - http://ghh.sourceforge.net/<br/ > | Google Hack Honeypot - http://ghh.sourceforge.net/<br/ > | ||
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br/ > | PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br/ > | ||
| + | SpyBye - http://www.monkey.org/~provos/spybye/<br/ > | ||
| + | Honeytokens - http://www.securityfocus.com/infocus/1713<br/ > | ||
<br/ > | <br/ > | ||
<b>Blackhat SEO and maybe some whitehat SEO</b><br/ > | <b>Blackhat SEO and maybe some whitehat SEO</b><br/ > | ||
| Line 220: | Line 245: | ||
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br/ > | Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br/ > | ||
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br/ > | FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br/ > | ||
| + | CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br/ > | ||
NoScript (Firefox Add-on) - http://www.noscript.net/<br/ > | NoScript (Firefox Add-on) - http://www.noscript.net/<br/ > | ||
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br/ > | Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br/ > | ||
| Line 227: | Line 253: | ||
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br/ > | PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br/ > | ||
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br/ > | QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br/ > | ||
| + | FireKeeper - http://firekeeper.mozdev.org/<br/ > | ||
<br/ > | <br/ > | ||
<b>Browser Privacy</b><br/ > | <b>Browser Privacy</b><br/ > | ||
Revision as of 02:51, 11 April 2007
Please send comments or questions to the Phoenix-OWASP mailing-list.
LiveCDs
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/
HTTP proxying / editing
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/
RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
ProxMon - http://www.isecpartners.com/proxmon.html
Wapiti - http://wapiti.sourceforge.net/
Grabber - http://rgaucher.info/beta/grabber/
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://sourceforge.net/projects/jbrofuzz
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml
RFuzz - http://rfuzz.rubyforge.org/
[ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/
WSTool - http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/
HTTP general testing / fingerprinting
ht://Check - http://htcheck.sourceforge.net/
Mumsie - http://www.lurhq.com/tools/mumsie.html
WebInject - http://www.webinject.org/
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp
Nikto - http://www.cirt.net/code/nikto.shtml
twill - http://twill.idyll.org/
Browser-based HTTP tampering / editing
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/development.html
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/
Cookie editing / poisoning
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning
Sahi - http://sahi.co.in/
scRUBYt - http://scrubyt.org/
jQuery - http://jquery.com/
Sprajax - http://www.denimgroup.com/sprajax.html
Watir - http://wtr.rubyforge.org/
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Firebug Lite - http://www.getfirebug.com/lite.html
firewaitr - http://code.google.com/p/firewatir/
SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/
Web application security malware, backdoors, and evil code
Jikto - http://busin3ss.name/jikto-in-the-wild
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.gigahosting.cz/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
Technika - http://www.gnucitizen.org/projects/technika/
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment
Netcraft - http://www.netcraft.net
AboutURL - http://www.abouturl.com/
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/
Browser-based security fuzzing / checking
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider - http://labs.idefense.com
bcheck - http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1
PHP file inclusion scanning
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit
Web Application Firewall (WAF) rules and resources
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
Akismet: blog spam defense - http://akismet.com/
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c
Net-square: wsChess - http://net-square.com/wschess/index.shtml
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html
Web application static source-code analysis and threat-modeling
Orizon - http://sourceforge.net/projects/orizon/
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/
Security compass web application auditing tools (SWAAT) - http://www.securitycompass.com/index.html
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/
ITS4 - http://www.cigital.com/its4/
FlawFinder - http://www.dwheeler.com/flawfinder/
Splint - http://www.splint.org/
Valgrind - http://www.valgrind.org/
FxCop - http://www.gotdotnet.com/team/fxcop/
RATS - http://www.securesoftware.com/resources/download_rats.html
PMD - http://pmd.sourceforge.net/
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php
Octotrike - http://www.octotrike.org/
Add-ons for Firefox that help with general web application security
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/
Public Fox - https://addons.mozilla.org/firefox/3911/
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab - https://addons.mozilla.org/firefox/1419/
User-Agent Switcher - https://addons.mozilla.org/firefox/59/
SeverSwitcher - https://addons.mozilla.org/firefox/2409/
HeaderMonitor - https://addons.mozilla.org/firefox/575/
RefControl - https://addons.mozilla.org/firefox/953/
refspoof - https://addons.mozilla.org/firefox/667/
No-Referrer - https://addons.mozilla.org/firefox/1999/
LocationBar^2 - https://addons.mozilla.org/firefox/4014/
Fire Encrypter - https://addons.mozilla.org/firefox/3208/
Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE - http://www.openqa.org/selenium-ide/
Firebug - http://www.joehewitt.com/software/firebug/
Venkman - http://www.mozilla.org/projects/venkman/
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html
Javascript shell - http://www.squarefree.com/shell/
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/
Java web application security
Checkstyle - http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver
tinapoc - http://sourceforge.net/projects/tinapoc
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex - http://solex.sourceforge.net/
Java Explorer - http://metal.hurlant.com/jexplore/
HTTPClient - http://www.innovation.ch/java/HTTPClient/
SSL certificate checking / scanning
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/
Honeyclients, Web Application, and Web Proxy honeypots
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/
Google Hack Honeypot - http://ghh.sourceforge.net/
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/
SpyBye - http://www.monkey.org/~provos/spybye/
Honeytokens - http://www.securityfocus.com/infocus/1713
Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html
Footprinting for web application security
Fierce Domain Scanner - http://ha.ckers.org/fierce/
Googlegath - http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/
Browser Defenses
DieHard - http://www.diehard-software.org/
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) - http://www.noscript.net/
Adblock (Firefox Add-on) - http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) - http://www.safecache.com/
SafeHistory (Firefox Add-on) - http://www.safehistory.com/
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/
FireKeeper - http://firekeeper.mozdev.org/
Browser Privacy
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/
Privacy Bird - http://www.privacybird.com/
Application and protocol fuzzing (random instead of targeted)
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/
GPF: general purpose fuzzer - http://appliedsec.com/developers.html
autodafé: an act of software torture - http://autodafe.sourceforge.net/
