Difference between revisions of "Phoenix/Tools"

Revision as of 17:08, 6 February 2007

[WIP]

LiveCD
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/

HTTP proxying / editing

Burp - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/

RSnake's XSS cheat sheet based-tools, fuzzing, and encoding tools

Wapiti - http://wapiti.sourceforge.net/
Grabber - http://rgaucher.info/beta/grabber/
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://sourceforge.net/projects/jbrofuzz
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
MielieTool - http://www.sensepostresearch.com
RFuzz - http://rfuzz.rubyforge.org/
[ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/
HackBar - https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/

HTTP general testing / fingerprinting
WebInject - http://www.webinject.org/
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/

Browser-based HTTP tampering / editing
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/development.html
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/

Cookie editing / poisoning
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx

Ajax and XHR scanning
Sahi - http://sahi.co.in/
Sprajax - http://www.denimgroup.com/sprajax.html
Watir - http://wtr.rubyforge.org/
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/
Firebug Lite - http://www.getfirebug.com/lite.html

SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/

Web application security malware, backdoors, and evil code
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.gigahosting.cz/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/

Web application services that aid in web application security assessment
Netcraft - http://www.netcraft.net
AboutURL - http://www.abouturl.com/
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/

Browser-based security fuzzing / checking
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
COMRaider - http://labs.idefense.com
bcheck - http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1

PHP file inclusion scanning
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit

Web Application Firewall (WAF) rules and resources
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Akismet: blog spam defense - http://akismet.com/
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/

Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c
Net-square: wsChess - http://net-square.com/wschess/index.shtml
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html
WSTool - http://wstool.sourceforge.net/

Web application static source-code analysis and threat-modeling
Pixy: a static analysis tool for detecting XSS vulnerabilities

- http://www.seclab.tuwien.ac.at/projects/pixy/

@@ Line 3: / Line 3: @@
 <b>LiveCD</b><br/ >
 Monday, January 29, 2007  4:02 PM    828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/<br/ >
-<br/ >
-<b>Web application scanning</b><br/ >
-<br/ >
-Wapiti - http://wapiti.sourceforge.net/<br/ >
-Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br/ >
 <br/ >
 <b>HTTP proxying / editing</b><br/ >
@@ Line 21: / Line 16: @@
 Odysseus - http://www.bindshell.net/tools/odysseus<br/ >
 Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br/ >
+Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br/ >
 <br/ >
 <b>RSnake's XSS cheat sheet based-tools, fuzzing, and encoding tools</b><br/ >
 <br/ >
+Wapiti - http://wapiti.sourceforge.net/<br/ >
+Grabber - http://rgaucher.info/beta/grabber/<br/ >
 HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br/ >
 JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br/ >
@@ Line 29: / Line 27: @@
 XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br/ >
 WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br/ >
-Grabber - http://rgaucher.info/beta/grabber/<br/ >
 Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br/ >
 MielieTool - http://www.sensepostresearch.com<br/ >
 RFuzz - http://rfuzz.rubyforge.org/<br/ >
 [ZIP] WebFuzz - http://www.codebreakers-journal.com/index.php/CodeBreakersJournal/article/download/43/69<br/ >
+Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br/ >
+HackBar - https://addons.mozilla.org/firefox/3899/<br/ >
 Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br/ >
 <br/ >
 <b>HTTP general testing / fingerprinting</b><br/ >
+WebInject - http://www.webinject.org/<br/ >
 Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br/ >
 JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br/ >
@@ Line 54: / Line 54: @@
 <br/ >
 <b>Cookie editing / poisoning</b><br/ >
+[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br/ >
 Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br/ >
 CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br/ >
@@ Line 60: / Line 61: @@
 <br/ >
 <b>Ajax and XHR scanning</b><br/ >
+Sahi - http://sahi.co.in/<br/ >
 Sprajax - http://www.denimgroup.com/sprajax.html<br/ >
 Watir - http://wtr.rubyforge.org/<br/ >
 RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br/ >
+Firebug Lite - http://www.getfirebug.com/lite.html<br/ >
 <br/ >
 <b>SQL injection scanning</b><br/ >
@@ Line 132: / Line 135: @@
 <br/ >
 <b>Web application static source-code analysis and threat-modeling</b><br/ >
+Pixy: a static analysis tool for detecting XSS vulnerabilities
+ - http://www.seclab.tuwien.ac.at/projects/pixy/<br/ >
 Security compass web application auditing tools (SWAAT) - http://www.securitycompass.com/index.html<br/ >
 ITS4 - http://www.cigital.com/its4/<br/ >
@@ Line 148: / Line 153: @@
 Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br/ >
 XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br/ >
-HackBar - https://addons.mozilla.org/firefox/3899/<br/ >
+Public Fox - https://addons.mozilla.org/firefox/3911/<br/ >
 XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br/ >
 MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br/ >
@@ Line 213: / Line 218: @@
 TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br/ >
 Privacy Bird - http://www.privacybird.com/<br/ >
+<br/ >
+<b>Application and protocol fuzzing (for standard server remote execution)</b><br/ >
+SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br/ >
+taof: The Art of Fuzzing - http://taof.sourceforge.net/<br/ >
+zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br/ >
+GPF: general purpose fuzzer - http://appliedsec.com/developers.html<br/ >
+autodafé: an act of software torture - http://autodafe.sourceforge.net/<br/ >
+Security bug catcher - http://lasecwww.epfl.ch/~oechslin/projects/bugcatcher/<br/ >
+PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br/ >

Difference between revisions of "Phoenix/Tools"

Revision as of 17:08, 6 February 2007

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools