WSTG - v4.2
Testing Tools Resource
General Web Testing
- OWASP ZAP
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
- ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Burp Proxy
- Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
- Firefox HTTP Header Live
- View HTTP headers of a page and while browsing.
- Firefox Tamper Data
- Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
- Firefox Web Developer
- The Web Developer extension adds various web developer tools to the browser.
- w3af
- w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
- Chrome Web Developer
- The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
- HTTP Request Maker
- Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
- Cookie Editor
- Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
- Session Manager
- With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
Testing for Specific Vulnerabilities
Testing for JavaScript Security, DOM XSS
Testing for SQL Injection
Testing Oracle
Testing SSL
Testing for Brute Force Attacks
Password Crackers
Remote Brute Force
Testing Buffer Overflow
- OllyDbg
- “A windows based debugger used for analyzing buffer overflow vulnerabilities”
- Spike
- A fuzzer framework that can be used to explore vulnerabilities and perform length testing
- Brute Force Binary Tester (BFB)
- A proactive binary checker
- Metasploit
- A rapid exploit development and Testing frame work
Fuzzer
Googling
Slow HTTP
Commercial Black-Box Testing Tools
- NGS Typhon
- HCL AppScan
- Burp Intruder
- Acunetix Web Vulnerability Scanner
- MaxPatrol Security Scanner
- Parasoft SOAtest (more QA-type tool)
- N-Stalker Web Application Security Scanner
- SoapUI (Web Service security testing)
- Netsparker
- SAINT
- QualysGuard WAS
- IndusFace WAS
- Fortify WebInspect
Linux Distrubtions
Source Code Analyzers
Open Source / Freeware
Commercial
- Checkmarx CxSuite
- GrammaTech
- ITS4
- ParaSoft
- Virtual Forge CodeProfiler for ABAP
- Veracode
- Peach Fuzzer
- Burp Suite
- Fortify SCA
Acceptance Testing Tools
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
Open Source Tools
- HtmlUnit
- A Java and JUnit based framework that uses the Apache HttpClient as the transport.
- Very robust and configurable and is used as the engine for a number of other testing tools.
- Selenium
- JavaScript based testing framework, cross-platform and provides a GUI for creating tests.