WSTG - v4.1
Testing Tools Resource
- OWASP ZAP
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
- ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Burp Proxy
- Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
- Webstretch Proxy
- Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
- Firefox HTTP Header Live
- View HTTP headers of a page and while browsing.
- Firefox Tamper Data
- Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
- Firefox Web Developer Tools
- The Web Developer extension adds various web developer tools to the browser.
- DOM Inspector
- DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
- Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
- SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
- w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
- Skipfish is an active web application security reconnaissance tool.
- Web Developer toolbar
- The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
- HTTP Request Maker
- Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
- Cookie Editor
- Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
- Cookie swap
- Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
- Session Manager
- With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
- Subgraph Vega
- Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Testing for Specific Vulnerabilities
Testing for SQL Injection
- Sqlninja: a SQL Server Injection & Takeover Tool
- Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
- Absinthe 1.1 (formerly SQLSqueal)
- SQLInjector - Uses inference techniques to extract data and determine the backend database server
- Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections
- Pangolin: An automatic SQL injection penetration testing tool
- Multiple DBMS Sql Injection tool - SQL Power Injector
Testing for Brute Force Password
Testing Buffer Overflow
- “A windows based debugger used for analyzing buffer overflow vulnerabilities”
- A fuzzer framework that can be used to explore vulnerabilities and perform length testing
- Brute Force Binary Tester (BFB)
- A proactive binary checker
- A rapid exploit development and Testing frame work
Commercial Black-Box Testing Tools
- NGS Typhon
- IBM AppScan
- Burp Intruder
- Acunetix Web Vulnerability Scanner
- MaxPatrol Security Scanner
- Parasoft SOAtest (more QA-type tool)
- N-Stalker Web Application Security Scanner
- SoapUI (Web Service security testing)
- QualysGuard WAS
- IndusGuard Web
Source Code Analyzers
Open Source / Freeware
- Find Security Bugs
- Microsoft’s FxCop
- Checkmarx CxSuite
- Virtual Forge CodeProfiler for ABAP
- Peach Fuzzer
- Burp Suite
Acceptance Testing Tools
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
Open Source Tools
- A Java and JUnit based framework that uses the Apache HttpClient as the transport.
- Very robust and configurable and is used as the engine for a number of other testing tools.
- A Java based meta-framework that uses htmlunit or selenium as the testing engine.
- One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
- An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.