WSTG - Latest
Testing Tools Resource
This appendix is intended to provide a list of common tools that are used for web application testing. It does not aim to be a complete tool reference, and the inclusion of a tool here should not be seen as a specific endorsement of that tool by OWASP.
The list contains only tools that are freely available to download and use (although they may have licenses restricting their use for commercial activity).
General Web Testing
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
- ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Burp Suite Community Edition
- Burp Suite is an intercepting proxy for security testing. It allows intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom TLS certificates and non-proxy-aware clients.
- Telerik Fiddler
- Fiddler an intercepting web proxy that is primarily aimed at developers rather than penetration testers, but still provides useful functionality. It also hooks directly into the Windows HTTP APIs, allowing it to intercept traffic from some software that doesn’t allow custom proxies to be set.
- Firefox HTTP Header Live
- View HTTP headers of a page and while browsing.
- Firefox Multi-Account Containers
- Create multiple containers, each of which have their own isolated cookies and sessions. Useful for testing access control between different users.
- Firefox Tamper Data
- Use Tamper Data to view and modify HTTP/HTTPS headers and post parameters
- Firefox Web Developer
- The Web Developer extension adds various web developer tools to the browser.
- Chrome Web Developer
- The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
- HTTP Request Maker
- Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
- Cookie Editor
- Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
Testing for Specific Vulnerabilities
Testing for SQL Injection
Testing for Brute Force Attacks
Remote Brute Force
Port and Service Discovery
Source Code Analyzers
- Find Security Bugs
- Microsoft’s .NET Analyzers
- SonarQube Community Edition
Browser Automation Tools
Browser Automation tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.