domingo, março 25, 2012

Owasp Testing Tool's


Testing grounds


Test sites

SPI Dynamics (live) -
Cenzic (live) -
Watchfire (live) -
Acunetix (live) -
WebMaven / Buggy Bank -
Foundstone SASS tools -
Updated HackmeBank -
OWASP WebGoat -
OWASP SiteGenerator -
Stanford SecuriBench -
SecuriBench Micro -
Google’s web application training - 
OWASP TOP 10 LAB (Online) -

External Assessment


Add-ons for Firefox that help with general web application security

Web Developer Toolbar -
Plain Old Webserver (POW) -
XML Developer Toolbar -
Public Fox -
XForms Buddy -
MR Tech Local Install -
Nightly Tester Tools -
IE Tab -
User-Agent Switcher -
ServerSwitcher -
HeaderMonitor -
RefControl -
refspoof -
No-Referrer -
LocationBar^2 -
SpiderZilla -
Slogger -
Fire Encrypter -

Browser-based HTTP tampering / editing / replaying

Add-ons for Firefox that help with Javascript and Ajax web application security

Bookmarklets that aid in web application security

RSnake's security bookmarklets -
BMlets -
Huge list of bookmarklets -
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality -
Bookmarklets every blogger should have -
Flat Bookmark Editing (Firefox Add-on) -
OpenBook and Update Bookmark (Firefox Add-ons) -

Footprinting for web application security

Evolution -
GooSweep -
Aura: Google API Utility Tools -
Edge-Security tools -
Fierce Domain Scanner -
Googlegath -
Advanced Dork (Firefox Add-on) -
Passive Cache (Firefox Add-on) -
CacheOut! (Firefox Add-on) -
BugMeNot Extension (Firefox Add-on) - Extension (Firefox Add-on) -
DiggiDig (Firefox Add-on) -
Digger (Firefox Add-on) -


SSL certificate checking / scanning

HTTP proxying / editing

WebScarab -
Burp Suite -
Paros -
Paros fork #1: Zed Attack Proxy (ZAP) -
Paros fork #2: Andiparos -
Fiddler -
Web Proxy Editor -
Pantera -
Suru -
httpedit (curses-based) -
Charles -
Odysseus -
Burp, Paros, and WebScarab for Mac OS X -
Web-application scanning tool from `Network Security Tools'/O'Reilly -
JS Commander -
Ratproxy -
Arachni -

RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools

Wfuzz -
ProxMon -
Wapiti -
Grabber -
XSSScan -
CAL9000 -
EnDe -
HTMangLe -
JBroFuzz -
J-Baah -
XSSFuzz -
WhiteAcid's XSS Assistant -
Overlong UTF -
[TGZ] MielieTool (SensePost Research) -
RegFuzzer: test your regular expression filter -
screamingCobra -
SPIKE and SPIKE Proxy -
RFuzz -
WebFuzz -
TestMaker -
ASP Auditor -
WSTool -
Web Hack Control Center (WHCC) -
Web Text Converter -
HackBar (Firefox Add-on) -
Net-Force Tools (NF-Tools, Firefox Add-on) -
PostIntercepter (Greasemonkey script) -
fuzzdb -

HTTP general testing / fingerprinting

Wbox: HTTP testing tool -
ht://Check -
WebInject - Home Page -
JoeDog's Seige -
OPEN-LABS: metoscan (http method testing) -
Load-balancing detector -
Net-Square: httprint -
Wpoison: http stress testing -
Net-square: MSNPawn -
hcraft: HTTP Vuln Request Crafter -
rfp.labs: LibWhisker -
Nikto -
Websecurify -
W3AF: Web Application Attack and Audit Framework -
twill -
DirBuster -
[ZIP] DFF Scanner -
[ZIP] The Elza project - (dead link)
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled -
dead, vanished links (March/2012)

Cookie editing / poisoning


Browser-based security fuzzing / checking

Zalewski's MangleMe - tool see here (mangle.cgi dead link)
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan -
Peach Fuzzer Framework - (old link)/
TagBruteForcer -
PROTOS Test-Suite: c05-http-reply -
COMRaider - (dead link)
BrowserCheck -
Stealing information using DNS pinning demo -
Javascript Website Login Checker -
Mozilla Activex - (old link)
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) -
Test your installation of Java software -
WebPageFingerprint - Light-weight Greasemonkey Fuzzer -
dead, vanished links (March/2012)
bcheck -
Cross-browser Exploit Tests -
Jungsonn's Black Dragon Project -
Vulnerable Adobe Plugin Detection For UXSS PoC -
About Flash: is your flash up-to-date? -
Stop-Phishing: Projects page -
LinkScanner - (seems to be a vendor link now)

Application and protocol fuzzing (random instead of targeted)

Sulley -
taof: The Art of Fuzzing -
zzuf: multipurpose fuzzer -
autodafé: an act of software torture -
dead, vanished links (March/2012)
EFS and GPF: Evolutionary Fuzzing System -

Ajax and XHR scanning

SQL injection scanning

Web services enumeration / scanning / fuzzing

3rd party services that aid in web application security assessment

Server side stuff

PHP static analysis and file inclusion scanning

Pixy: Open source flow based discovery of XSS and SQLi - Static analysis for PHP -
Unl0ck Research Team: tool for searching in google for include bugs -
FIS: File Inclusion Scanner -
PHPSecAudit -

PHP Defensive Tools

PHPInfoSec - Check phpinfo configuration for security -
Greasemonkey Replacement can be found at
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools -
PHP-Login-Info-Checker (Strictly enforce admins/users to select stronger passwords via url loginfo_checker.php?testlic) -,
php-DDOS-Shield (prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code) -

Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources

APIDS on Wikipedia -
PHP Intrusion Detection System (PHP-IDS) -
dotnetids -
Secure Science InterScout -
Remo: whitelist rule editor for mod_security -
GotRoot: ModSecuirty rules -
The Web Security Gateway (WSGW) -
mod_security rules generator -
Mod_Anti_Tamper -
[TGZ] Automatic Rules Generation for Mod_Security -
AQTRONIX WebKnight -
Akismet: blog spam defense -
Samoa: Formal tools for securing web services -


Web application non-specific static source-code analysis

Pixy: a static analysis tool for detecting XSS vulnerabilities -
Brixoft.Net: Source Edit -
Security compass web application auditing tools (SWAAT) -
An even more complete list here -
A nice list that claims some demos available -
A smaller, but also good list -
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package.

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications

Java static analysis, security frameworks, and web application security tools

CodePro Analytix -
HDIV Struts -
Orizon -
FindBugs: Find bugs in Java programs -
CUTE: A Concolic Unit Testing Engine for C and Java -
JLint -
Java PathFinder -
Fujaba: Move between UML and Java source code -
Checkstyle -
Cookie Revolver Security Framework -
tinapoc -
jarsigner -
Solex -
Java Explorer -
HTTPClient -
another HttpClient -
a list of code coverage and analysis tools for Java -

Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET

Database security assessment

Scuba by Imperva Database Vulnerability Scanner -

Threat modeling

Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) -
Amenaza: Attack Tree Modeling (SecurITree) -
Octotrike -


RSS extensions and caching

Blackhat SEO and maybe some whitehat SEO

SearchStatus (Firefox Add-on) -
SEO for Firefox (Firefox Add-on) -
SEOQuake (Firefox Add-on) -
Analytics seo -

Web application security malware, backdoors, and evil code

Jikto -
XSS Shell -
XSS-Proxy -
AttackAPI -
FFsniFF -
HoneyBlog's web-based junkyard -
BeEF -
Firefox Extension Scanner (FEX) -
What is my IP address? -
xRumer: blogspam automation tool -
SpyJax -
Greasecarnaval -
Technika -
Load-AttackAPI bookmarklet -
MD's Projects: JS port scanner, pinger, backdoors, etc -

Honeyclients, Web Application, and Web Proxy honeypots

Honeyclient Project: an open-source honeyclient -
HoneyC: the low-interaction honeyclient -
Capture: a high-interaction honeyclient -
Google Hack Honeypot -
PHP.Hop - PHP Honeynet Project -
SpyBye -
Honeytokens -

Browser Privacy/ Defenses

Browser Defenses

DieHard -
LocalRodeo (Firefox Add-on) -
Request Rodeo -
FlashBlock (Firefox Add-on) -
CookieSafe (Firefox Add-on) -
NoScript (Firefox Add-on) -
FormFox (Firefox Add-on) -
Adblock (Firefox Add-on) -
httpOnly in Firefox (Firefox Add-on) -
SafeCache (Firefox Add-on) -
SafeHistory (Firefox Add-on) -
PrefBar (Firefox Add-on) -
All-in-One Sidebar (Firefox Add-on) - web file checker (Firefox Add-on) -
Update Notified (Firefox Add-on) -
FireKeeper -
Greasemonkey: XSS Malware Script Detector -

Browser Privacy

TrackMeNot (Firefox Add-on) -
Privacy Bird -
HTTPS Everywhere -

0 comentários:

Postar um comentário