This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Appendix A: Testing Tools"

From OWASP
Jump to: navigation, search
(Final edit)
(Added Andrew's changes.)
Line 4: Line 4:
  
 
=== General Testing ===
 
=== General Testing ===
 
+
* '''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]'''
 +
**The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
 +
**ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
 
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
 
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
 
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
 
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
Line 12: Line 14:
 
*  '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
 
*  '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
 
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
 
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Zed Attack Proxy Project]]'''
 
** The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
 
** ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
 
 
* '''[[:OWASP Mantra - Security Framework]]'''
 
* '''[[:OWASP Mantra - Security Framework]]'''
 
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
 
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.

Revision as of 22:22, 1 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Open Source Black Box Testing tools

General Testing


Testing for specific vulnerabilities

Testing for DOM XSS


Testing AJAX


Testing for SQL Injection


Testing Oracle


Testing SSL


Testing for Brute Force Password


Testing Buffer Overflow


Fuzzer


Googling


Commercial Black Box Testing tools


Source Code Analyzers

Open Source / Freeware


Commercial


Acceptance Testing Tools

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.


Open Source Tools

  • WATIR - http://wtr.rubyforge.org
    • A Ruby based web testing framework that provides an interface into Internet Explorer.
    • Windows only.
  • HtmlUnit - http://htmlunit.sourceforge.net
    • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
    • Very robust and configurable and is used as the engine for a number of other testing tools.
  • jWebUnit - http://jwebunit.sourceforge.net
    • A Java based meta-framework that uses htmlunit or selenium as the testing engine.
  • Canoo Webtest - http://webtest.canoo.com
    • An XML based testing tool that provides a facade on top of htmlunit.
    • No coding is necessary as the tests are completely specified in XML.
    • There is the option of scripting some elements in Groovy if XML does not suffice.
    • Very actively maintained.
  • HttpUnit - http://httpunit.sourceforge.net
    • One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
  • Watij - http://watij.com
    • A Java implementation of WATIR.
    • Windows only because it uses IE for its tests (Mozilla integration is in the works).
  • Solex - http://solex.sourceforge.net
    • An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
  • Selenium - http://seleniumhq.org/
    • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
    • Mature and popular tool, but the use of JavaScript could hamper certain security tests.


Other Tools

Runtime Analysis


Binary Analysis


Requirements Management


Site Mirroring