Appendix A: Testing Tools
- 1 Open Source Black Box Testing tools
- 2 Commercial Black Box Testing tools
- 3 Source Code Analyzers
- 4 Acceptance Testing Tools
- 5 Other Tools
- 6 New OWASP Testing Guide
- 7 Old OWASP Testing Guides
- 8 Background and Motivation
- 9 Project History
- 10 Related
- 11 Feedback and Participation
- 12 Translations
- 13 Project About
Open Source Black Box Testing tools
- OWASP WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- OWASP CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
- CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
- SPIKE - http://www.immunitysec.com
- Paros - http://www.parosproxy.org
- Burp Proxy - http://www.portswigger.net
- Achilles Proxy - http://www.mavensecurity.com/achilles
- Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
- Webstretch Proxy - http://sourceforge.net/projects/webstretch
- Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
- Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
Testing for specific vulnerabilities
- OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
Testing for SQL Injection
- OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
- Multiple DBMS Sql Injection tool - [SQL Power Injector]
- MySql Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
- Antonio Parata: Dump Files by sql inference on Mysql - [SqlDumper]
- Sqlninja: a SQL Server Injection&Takeover Tool - http://sqlninja.sourceforge.net
- Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net/
- Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
- SQLInjector - http://www.databasesecurity.com/sql-injector.htm
- bsqlbf-1.2-th - http://www.514.es
- TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
- Toad for Oracle - http://www.quest.com/toad
- Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
Testing for Brute Force Password
- THC Hydra - http://www.thc.org/thc-hydra/
- John the Ripper - http://www.openwall.com/john/
- Brutus - http://www.hoobie.net/brutus/
Testing for HTTP Methods
- NetCat - http://www.vulnwatch.org/netcat
Testing Buffer Overflow
- OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
- Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
- Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
- Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/
- OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
- Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
Commercial Black Box Testing tools
- Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
- NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
- Watchfire AppScan - http://www.watchfire.com
- Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
- SPI Dynamics WebInspect - http://www.spidynamics.com
- Burp Intruder - http://portswigger.net/intruder
- Acunetix Web Vulnerability Scanner - http://www.acunetix.com/
- ScanDo - http://www.kavado.com
- WebSleuth - http://www.sandsprite.com
- NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
- Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
- Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
- MaxPatrol Security Scanner - http://www.maxpatrol.com/
- Ecyware GreenBlue Inspector - http://www.ecyware.com/
- Parasoft WebKing (more QA-type tool)
Source Code Analyzers
Open Source / Freeware
- FlawFinder - http://www.dwheeler.com/flawfinder
- Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
- Split - http://splint.org
- Boon - http://www.cs.berkeley.edu/~daw/boon
- Pscan - http://www.striker.ottawa.on.ca/~aland/pscan
- Fortify - http://www.fortifysoftware.com
- Ounce labs Prexis - http://www.ouncelabs.com
- GrammaTech - http://www.grammatech.com
- ParaSoft - http://www.parasoft.com
- ITS4 - http://www.cigital.com/its4
- CodeWizard - http://www.parasoft.com/products/wizard
Acceptance Testing Tools
Acceptance testing tools are used validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
Open Source Tools
- WATIR - http://wtr.rubyforge.org/ - A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.
- HtmlUnit - http://htmlunit.sourceforge.net/ - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.
- jWebUnit - http://jwebunit.sourceforge.net/ - A Java based meta-framework that uses htmlunit or selenium as the testing engine.
- Canoo Webtest - http://webtest.canoo.com/ - An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.
- HttpUnit - http://httpunit.sourceforge.net/ - One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
- Watij - http://watij.com - A Java implementation of WATIR. Windows only because it uses IE for it's tests (Mozilla integration is in the works).
- Solex - http://solex.sourceforge.net/ - An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
- Rational PurifyPlus - http://www-306.ibm.com/software/awdtools
- Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro
- wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
- curl - http://curl.haxx.se
- Sam Spade - http://www.samspade.org
- Xenu - http://home.snafu.de/tilman/xenulink.html
| This project is part of the OWASP Breakers community. |
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.
| This project has produced a book that can be downloaded or purchased.|
Feel free to browse the full catalog of available OWASP books.
- New OWASP Testing Guide
- Old OWASP Testing Guides
- Background and Motivation
- Project History
- Feedback and Participation
- Project About
OWASP Testing Guide v3
16th December 2008: OWASP Testing Guide v3 is finished!
- You can download the Guide in PDF here
- Download the presentation here
- Browse the Testing Guide v3 on the wiki here
'NEW: OWASP projects and resources you can use TODAY'
16th April 2010 in London, OWASP leaders deliver a course focused on the main OWASP Projects.
Matteo Meucci will deliver a training course on the OWASP Testing Guide v3.
More information here
Video @ FOSDEM 09: here
This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.
Version 3 of the Testing Guide was released in December 2008 after going through a major upgrade through the OWASP Summer of Code 2008.
History Behind Project The OWASP Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to Eoin Keary in 2005 and moved onto the new OWASP wiki when it came online. Being in a wiki is easier for people to contribute and has made updating much easier. Matteo Meucci took on the Testing guide after Eoin and shepherded it through the version 2 and version 3 updates, which have been significant improvements.
OWASP Testing Guide v3
Testing Guide v3: plan (archive)
26th April 2008: Version 3 of the Testing Guide started under OWASP Summer of Code 2008.
6th November 2008: Completed draft created and previewed at OWASP EU Summit 2008 in Portugal.
Final stable release in December 2008
OWASP Testing Guide v2
- you can read it on line on the Testing Guide v2 wiki
- or download the Guide in Adobe PDF format or in Ms Doc format
OWASP Testing Guide v2 in Spanish: Now you can get a complete translation in Ms Doc format
Here you can find:
OWASP Testing Guide (v2+v3) Report Generator is found at http://yehg.net/lab/#wasarg.
THE OWASP Testing Project Live CD The OWASP testing project is currently implementing an Application security Live CD.
LabRat Version 0.8 Alpha is just weeks away from Beta testing*.
The aim of this CD is to have a complete testing suite on one Disk. The CD shall also contain the forthcoming OWASP Testing guide.
The Live CD now has its own section you can find it here: 
We hope you find the information in the OWASP Testing project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP Testing mailing list. Thanks!
To join the OWASP Testing mailing list or view the archives, please visit the subscription page.
Thanks to the translators all around the world you can download the guide in the following languages:
- Chinese in PDF format. (Thanks to the China-mainland chapter. (v3.0; translation of v4.0 in process)
- Japanese in PDF format here (this is a 1st draft of v3.0, final release coming soon).
- Hebrew in PDF format (Risk Rating Methodology only for now). Thanks to Tal Argoni from TriadSec.
We invite you to explore and help us translate OWASP Testing Guide 4.0 at Crowdin. Please visit URL below to start translating this project:
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?