Difference between revisions of "Appendix A: Testing Tools"

Revision as of 23:46, 18 November 2006

[Up]
OWASP Testing Guide v2 Table of Contents

Black Box Testing tools

Open Source

• OWASP WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  

• OWASP CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
  

• OWASP Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
  

• SPIKE - http://www.immunitysec.com
• Paros - http://www.proofsecure.com
• Burp Proxy - http://www.portswigger.net
• Achilles Proxy - http://www.mavensecurity.com/achilles
• Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
• Webstretch Proxy - http://sourceforge.net/projects/webstretch
  
• Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
• Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

Googling

• Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

Testing AJAX

• OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project

Testing SQL Injection

• OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
• SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
• Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
  

Testing SSL

• Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm

Fuzzer

• OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

Testing Oracle

• TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
• Toad for Oracle - http://www.quest.com/toad

Testing Brute Force

• THC Hydra - http://www.thc.org/thc-hydra/
• John the Ripper - http://www.openwall.com/john/
• Brutus - http://www.hoobie.net/brutus/

Testing for HTTP Methods

• NetCat - http://www.vulnwatch.org/netcat

Commercial

• Watchfire AppScan - http://www.watchfire.com
• Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
  
• SPI Dynamics WebInspect - http://www.spidynamics.com
• Burp Intruder - http://portswigger.net/intruder
  
• Acunetix Web Vulnerability Scanner - http://www.acunetix.com/
  
• ScanDo - http://www.kavado.com
• WebSleuth - http://www.sandsprite.com
• NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
  
• Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
  
• Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
  
• MaxPatrol Security Scanner - http://www.maxpatrol.com/
  
• Ecyware GreenBlue Inspector - http://www.ecyware.com/
  
• Parasoft WebKing (more QA-type tool)
  

Source Code Analyzers

Open Source / Freeware

• http://www.securesoftware.com
• FlawFinder - http://www.dwheeler.com/flawfinder
• Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
• Split - http://splint.org
• Boon - http://www.cs.berkeley.edu/~daw/boon
• Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

Commercial

• Fortify - http://www.fortifysoftware.com
• Ounce labs Prexis - http://www.ouncelabs.com
• GrammaTech - http://www.grammatech.com
• ParaSoft - http://www.parasoft.com
• ITS4 - http://www.cigital.com/its4
• CodeWizard - http://www.parasoft.com/products/wizard

Other Tools

Runtime Analysis

• Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

Binary Analysis

• BugScam - http://sourceforge.net/projects/bugscam
• BugScan - http://www.hbgary.com

Requirements Management

• Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

Site Mirroring

• wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
• curl - http://curl.haxx.se
• Sam Spade - http://www.samspade.org
• Xenu - http://home.snafu.de/tilman/xenulink.html

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents