WSTG - Latest

Testing Tools Resource


This appendix is intended to provide a list of common tools that are used for web application testing. It does not aim to be a complete tool reference, and the inclusion of a tool here should not be seen as a specific endorsement of that tool by OWASP.

The list contains only tools that are freely available to download and use (although they may have licenses restricting their use for commercial activity).

General Web Testing

Web Proxies

  • ZAP
    • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
    • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • Burp Suite Community Edition
    • Burp Suite is an intercepting proxy for security testing. It allows intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom TLS certificates and non-proxy-aware clients.
  • Telerik Fiddler
    • Fiddler an intercepting web proxy that is primarily aimed at developers rather than penetration testers, but still provides useful functionality. It also hooks directly into the Windows HTTP APIs, allowing it to intercept traffic from some software that doesn’t allow custom proxies to be set.

Firefox Extensions

Chrome Extensions

  • Chrome Web Developer
    • The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
  • HTTP Request Maker
    • Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
  • Cookie Editor
    • Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies

Testing for Specific Vulnerabilities

Testing for SQL Injection

Testing TLS

Testing for Brute Force Attacks

Hash Crackers
Remote Brute Force


Google Hacking


Site Mirroring

Content Discovery

Port and Service Discovery

Vulnerability Scanners

Exploitation Frameworks

Linux Distributions

Source Code Analyzers

Browser Automation Tools

Browser Automation tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

  • HtmlUnit
    • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
    • Very robust and configurable and is used as the engine for a number of other testing tools.
  • Selenium
    • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.