Testing Tools Resource

Introduction

This appendix is intended to provide a list of common tools that are used for web application testing. It does not aim to be a complete tool reference, and the inclusion of a tool here should not be seen as a specific endorsement of that tool by OWASP.

The list contains only tools that are freely available to download and use (although they may have licenses restricting their use for commercial activity).

General Web Testing

Web Proxies

• ZAP
  • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
  • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
• Burp Suite Community Edition
  • Burp Suite is an intercepting proxy for security testing. It allows intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom TLS certificates and non-proxy-aware clients.
• Telerik Fiddler
  • Fiddler an intercepting web proxy that is primarily aimed at developers rather than penetration testers, but still provides useful functionality. It also hooks directly into the Windows HTTP APIs, allowing it to intercept traffic from some software that doesn’t allow custom proxies to be set.

Firefox Extensions

• Firefox HTTP Header Live
  • View HTTP headers of a page and while browsing.
• Firefox Multi-Account Containers
  • Create multiple containers, each of which have their own isolated cookies and sessions. Useful for testing access control between different users.
• Firefox Tamper Data
  • Use Tamper Data to view and modify HTTP/HTTPS headers and post parameters
• Firefox Web Developer
  • The Web Developer extension adds various web developer tools to the browser.

Chrome Extensions

• Chrome Web Developer
  • The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
• HTTP Request Maker
  • Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
• Cookie Editor
  • Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies

Testing for Specific Vulnerabilities

Testing for SQL Injection

• sqlmap

Testing TLS

• OWASP O-Saft
• sslyze
• testssl.sh
• SSLScan
• SSLLabs

Testing for Brute Force Attacks

Hash Crackers

• John the Ripper
• hashcat

Remote Brute Force

• ZAP
• Patator
• THC Hydra
• Burp Suite Community Edition (Intruder)

Fuzzers

• Ffuf
• Wfuzz
• Jdam

Google Hacking

• Google Hacking database

Slow HTTP

• Slowloris
• slowhttptest

Site Mirroring

• wget
• wget for windows
• curl

Content Discovery

• Gobuster

Port and Service Discovery

• Nmap

Vulnerability Scanners

• ZAP
• Nikto
• Nuclei
• SecOps Solution

Exploitation Frameworks

• Metasploit
• BeEF

Linux Distributions

• Kali
• Parrot
• Samurai
• Santoku
• BlackArch

Source Code Analyzers

• Spotbugs
• Find Security Bugs
• phpcs-security-audit
• PMD
• Microsoft’s .NET Analyzers
• SonarQube Community Edition

Browser Automation Tools

Browser Automation tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

• HtmlUnit
  • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
  • Very robust and configurable and is used as the engine for a number of other testing tools.
• Selenium
  • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.