Testing Tools Resource

Introduction

This appendix is intended to provide a list of common tools that are used for web application testing. It does not aim to be a complete tool reference, and the inclusion of a tool here should not be seen as a specific endorsement of that tool by OWASP.

The list contains only tools that are freely available to download and use (although they may have licenses restricting their use for commercial activity).

General Web Testing

Web Proxies

• ZAP
  • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
    • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
• Burp Suite Community Edition
  • Burp Suite is an intercepting proxy for security testing. It allows intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom TLS certificates and non-proxy-aware clients.
• Telerik Fiddler
  • Fiddler is an intercepting web proxy that is primarily aimed at developers rather than penetration testers, but still provides useful functionality. It also hooks directly into the Windows HTTP APIs, allowing it to intercept traffic from some software that doesn’t allow custom proxies to be set.

Firefox Extensions

• Firefox HTTP Header Live
  • View HTTP headers of a page and while browsing.
• Firefox Multi-Account Containers
  • Create multiple containers, each of which have their own isolated cookies and sessions. Useful for testing access control between different users.
• Firefox Tamper Data
  • Use Tamper Data to view and modify HTTP/HTTPS headers and post parameters
• Firefox Web Developer
  • The Web Developer extension adds various web developer tools to the browser.

Chrome Extensions

• Chrome Web Developer
  • The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
• Cookie Editor
  • A powerful and easy to use browser extension that allows you to quickly create, edit and delete cookies for the current tab. Useful for developing, testing, or manually managing cookies.

Testing for Specific Vulnerabilities

Testing for SQL Injection

• sqlmap

Testing TLS

• OWASP O-Saft
• sslyze
• testssl.sh
• SSLScan
• SSLLabs

Testing for Brute Force Attacks

Hash Crackers

• John the Ripper
• hashcat

Remote Brute Force

• ZAP
• Patator
• THC Hydra
• Burp Suite Community Edition (Intruder)

Fuzzers

• Ffuf
• Wfuzz
• Jdam

Google Hacking

• Google Hacking database

Slow HTTP

• Slowloris
• slowhttptest

Site Mirroring

• wget
• wget for windows
• cURL

Content Discovery

• Gobuster
• Waybackurls
  • Waybackurls fetches all URLs known to the Wayback Machine for a given domain, useful for reconnaissance.
  • Usage:

waybackurls example.com

• GAU (Get All URLs)
  • GAU collects URLs from multiple public archives, including the Wayback Machine and Common Crawl.
  • Usage:

gau example.com

• Unfurl
  • Unfurl extracts subdomains, paths, and parameters from URLs for deeper analysis.
  • Usage:

unfurl "https://example.com/page?query=123"

Port and Service Discovery

• Nmap

Vulnerability Scanners

• ZAP
• Nikto
• Nuclei
• SecOps Solution

Exploitation Frameworks

• Metasploit
• BeEF

Linux Distributions

• Kali
• Parrot
• Samurai
• Santoku
• BlackArch

Source Code Analyzers

• Spotbugs
• Find Security Bugs
• phpcs-security-audit
• PMD
• Microsoft’s .NET Analyzers
• SonarQube Community Edition

Browser Automation Tools

Browser Automation tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

• HtmlUnit - HtmlUnit is a GUI-less browser for Java programs. It models HTML documents and provides an API to invoke pages, fill out forms, click links, and interact with JavaScript and complex AJAX libraries. It can simulate Chrome, Firefox, or Edge depending on configuration, and is typically used for automated testing or web scraping. HtmlUnit can also be used as a Selenium-compatible browser via the htmlunit-driver. The latest stable release is 4.21.0 (org.htmlunit:htmlunit:4.21.0).
  • GitHub Repository: HtmlUnit/htmlunit
• Selenium
  • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.

Online Resources for Security Testing Tool Comparison

In addition to individual tools listed in this appendix, practitioners often need resources that help compare and evaluate security testing tools across categories such as SAST, DAST, SCA, and API security.

The following freely available resources provide curated comparisons and evaluation guidance.

AppSec Santa Tool Comparison

• AppSec Santa
  • A curated comparison of more than 160 application security tools across categories such as SAST, DAST, SCA, API Security, container security, and more.

Security Headers Analyzer

• SecurityHeaders
  • A free online tool that analyzes HTTP response headers and highlights missing or misconfigured security protections such as Content Security Policy, HSTS, and X-Frame-Options.

ZAP (Zed Attack Proxy) Documentation

Official documentation and learning resources for the ZAP (Zed Attack Proxy) dynamic application security testing tool.

• ZAP Documentation

Nuclei Templates Project

A large open-source repository of vulnerability detection templates used for automated security scanning.

• Nuclei Templates