WSTG - Stable

Testing Tools Resource

General Web Testing

  • OWASP ZAP
    • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
    • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • Burp Proxy
    • Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
  • Firefox HTTP Header Live
    • View HTTP headers of a page and while browsing.
  • Firefox Tamper Data
    • Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
  • Firefox Web Developer
    • The Web Developer extension adds various web developer tools to the browser.
  • w3af
    • w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
  • Chrome Web Developer
    • The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
  • HTTP Request Maker
    • Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
  • Cookie Editor
    • Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
  • Session Manager
    • With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.

Testing for Specific Vulnerabilities

Testing for JavaScript Security, DOM XSS

Testing for SQL Injection

Testing Oracle

Testing SSL

Testing for Brute Force Attacks

Password Crackers
Remote Brute Force

Testing Buffer Overflow

  • OllyDbg
    • “A windows based debugger used for analyzing buffer overflow vulnerabilities”
  • Spike
    • A fuzzer framework that can be used to explore vulnerabilities and perform length testing
  • Brute Force Binary Tester (BFB)
    • A proactive binary checker
  • Metasploit
    • A rapid exploit development and Testing frame work

Fuzzer

Googling

Slow HTTP

Commercial Black-Box Testing Tools

Linux Distrubtions

Source Code Analyzers

Open Source / Freeware

Commercial

Acceptance Testing Tools

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

  • HtmlUnit
    • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
    • Very robust and configurable and is used as the engine for a number of other testing tools.
  • Selenium
    • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.

Other Tools

Binary Analysis

Site Mirroring