This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Appendix A: Testing Tools

From OWASP

Revision as of 23:06, 18 November 2006 by Mmeucci (talk | contribs) (→‎Other Tools)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

[Up]
OWASP Testing Guide v2 Table of Contents

1 Black Box Testing tools
- 1.1 Open Source
- 1.2 Commercial
2 Source Code Analyzers
- 2.1 Open Source / Freeware
- 2.2 Commercial
3 Other Tools

Black Box Testing tools

Open Source

OWASP WebScarab

OWASP CAL9000

OWASP Pantera

SPIKE - http://www.immunitysec.com
Paros - http://www.proofsecure.com
Burp Proxy - http://www.portswigger.net
Achilles Proxy - http://www.mavensecurity.com/achilles
Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
Webstretch Proxy - http://sourceforge.net/projects/webstretch
Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

Googling

Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

Testing AJAX

OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project

Testing SQL Injection

OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/

Testing SSL

Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm

Fuzzer

OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

Testing Oracle

TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
Toad for Oracle - http://www.quest.com/toad

Commercial

ScanDo - http://www.kavado.com
WebSleuth - http://www.sandsprite.com
SPI Dynamics WebInspect - http://www.spidynamics.com
Watchfire AppScan - http://www.watchfire.com
AppSecInc AppDetective for Web Apps
Cenzic Hailstorm
NT Objectives NTOSpider
Acunetix Web Vulnerability Scanner 2
Compuware DevPartner Fault Simulator
Fortify Pen Testing Team Tool
@stake Web Proxy 2.0
Burp Intruder
Sandsprite Web Sleuth
MaxPatrol 7
Syhunt Sandcat Scanner & Miner
TrustSecurityConsulting HTTPExplorer
Ecyware BlueGreen Inspector
NGS Typhon
Parasoft WebKing (more QA-type tool)

Source Code Analyzers

Open Source / Freeware

http://www.securesoftware.com
FlawFinder - http://www.dwheeler.com/flawfinder
Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
Split - http://splint.org
Boon - http://www.cs.berkeley.edu/~daw/boon
Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

Commercial

Fortify - http://www.fortifysoftware.com
Ounce labs Prexis - http://www.ouncelabs.com
GrammaTech - http://www.grammatech.com
ParaSoft - http://www.parasoft.com
ITS4 - http://www.cigital.com/its4
CodeWizard - http://www.parasoft.com/products/wizard

Other Tools

Runtime Analysis

Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

Binary Analysis

BugScam - http://sourceforge.net/projects/bugscam
BugScan - http://www.hbgary.com

Requirements Management

Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

Site Mirroring

wget - http://www.gnu.org/software/wget
curl - http://curl.haxx.se

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents

Retrieved from "https://wiki.owasp.org/index.php?title=Appendix_A:_Testing_Tools&oldid=13266"