This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Appendix A: Testing Tools"

From OWASP
Jump to: navigation, search
Line 51: Line 51:
 
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
 
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
 
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
 
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
** '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
+
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
* Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
+
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
** '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
+
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
* Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
+
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
** '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
+
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
* Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.  
+
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.  
** '''Firebug lite for Chrome"" -  https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
+
* '''Firebug lite for Chrome"" -  https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
*Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elemements with your mouse, and live editing CSS properties
+
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elemements with your mouse, and live editing CSS properties
** '''Session Manager"" -  https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
+
* '''Session Manager"" -  https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
*With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
+
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
** '''Subgraph Vega''' - http://www.subgraph.com/products.html  
+
* '''Subgraph Vega''' - http://www.subgraph.com/products.html  
*Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
+
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
  
  

Revision as of 20:34, 2 April 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Open Source Black Box Testing tools

General Testing


Testing for specific vulnerabilities

Testing for DOM XSS

Testing AJAX

Testing for SQL Injection



Testing Oracle

Testing SSL

Testing for Brute Force Password


Testing Buffer Overflow

Fuzzer

Googling

Commercial Black Box Testing tools

Source Code Analyzers

Open Source / Freeware

Commercial

Acceptance Testing Tools

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

  • WATIR - http://wtr.rubyforge.org
    • A Ruby based web testing framework that provides an interface into Internet Explorer.
    • Windows only.
  • HtmlUnit - http://htmlunit.sourceforge.net
    • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
    • Very robust and configurable and is used as the engine for a number of other testing tools.
  • jWebUnit - http://jwebunit.sourceforge.net
    • A Java based meta-framework that uses htmlunit or selenium as the testing engine.
  • Canoo Webtest - http://webtest.canoo.com
    • An XML based testing tool that provides a facade on top of htmlunit.
    • No coding is necessary as the tests are completely specified in XML.
    • There is the option of scripting some elements in Groovy if XML does not suffice.
    • Very actively maintained.
  • HttpUnit - http://httpunit.sourceforge.net
    • One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
  • Watij - http://watij.com
    • A Java implementation of WATIR.
    • Windows only because it uses IE for its tests (Mozilla integration is in the works).
  • Solex - http://solex.sourceforge.net
    • An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
  • Selenium - http://seleniumhq.org/
    • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
    • Mature and popular tool, but the use of JavaScript could hamper certain security tests.

Other Tools

Runtime Analysis

Binary Analysis

Requirements Management

Site Mirroring