This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Appendix A: Testing Tools"

Jump to: navigation, search
(Open Source / Freeware)
(Open Source / Freeware)
Line 78: Line 78:
===Open Source / Freeware===
===Open Source / Freeware===
* '''[[OWASP_LAPSE_Project|OWASP LAPSE]]''' -
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]''' -
* PMD -
* PMD -
* FlawFinder -
* FlawFinder -

Revision as of 12:06, 31 August 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Open Source Black Box Testing tools

Testing for specific vulnerabilities

Testing AJAX

Testing for SQL Injection

Testing Oracle

Testing SSL

Testing for Brute Force Password

Testing for HTTP Methods

Testing Buffer Overflow



Commercial Black Box Testing tools

Source Code Analyzers

Open Source / Freeware


Acceptance Testing Tools

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

  • WATIR - - A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.
  • HtmlUnit - - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.
  • jWebUnit - - A Java based meta-framework that uses htmlunit or selenium as the testing engine.
  • Canoo Webtest - - An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.
  • HttpUnit - - One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
  • Watij - - A Java implementation of WATIR. Windows only because it uses IE for it's tests (Mozilla integration is in the works).
  • Solex - - An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
  • Selenium - - JavaScript based testing framework, cross-platform and provides a GUI for creating tests. Mature and popular tool, but the use of JavaScript could hamper certain security tests.

Other Tools

Runtime Analysis

Binary Analysis

Requirements Management

Site Mirroring