Appendix A: Testing Tools

[Up]

Open Source

 * OWASP WebScarab


 * OWASP CAL9000


 * OWASP Pantera

Googling Testing AJAX  Testing SQL Injection  Testing SSL  Fuzzer Testing Oracle
 * SPIKE - http://www.immunitysec.com
 * Paros - http://www.proofsecure.com
 * Burp Proxy - http://www.portswigger.net
 * Achilles Proxy - http://www.mavensecurity.com/achilles
 * Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
 * Webstretch Proxy - http://sourceforge.net/projects/webstretch
 * Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
 * Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
 * Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
 * OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
 * OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
 * SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
 * Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
 * Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
 * OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
 * TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
 * Toad for Oracle - http://www.quest.com/toad

Commercial

 * ScanDo - http://www.kavado.com
 * WebSleuth - http://www.sandsprite.com
 * SPI Dynamics WebInspect - http://www.spidynamics.com
 * Watchfire AppScan - http://www.watchfire.com
 * AppSecInc AppDetective for Web Apps
 * Cenzic Hailstorm
 * NT Objectives NTOSpider
 * Acunetix Web Vulnerability Scanner 2
 * Compuware DevPartner Fault Simulator
 * Fortify Pen Testing Team Tool
 * @stake Web Proxy 2.0
 * Burp Intruder
 * Sandsprite Web Sleuth
 * MaxPatrol 7
 * Syhunt Sandcat Scanner & Miner
 * TrustSecurityConsulting HTTPExplorer
 * Ecyware BlueGreen Inspector
 * NGS Typhon
 * Parasoft WebKing (more QA-type tool)

Open Source / Freeware

 * http://www.securesoftware.com
 * FlawFinder - http://www.dwheeler.com/flawfinder
 * Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
 * Split - http://splint.org
 * Boon - http://www.cs.berkeley.edu/~daw/boon
 * Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

Commercial

 * Fortify - http://www.fortifysoftware.com
 * Ounce labs Prexis - http://www.ouncelabs.com
 * GrammaTech - http://www.grammatech.com
 * ParaSoft - http://www.parasoft.com
 * ITS4 - http://www.cigital.com/its4
 * CodeWizard - http://www.parasoft.com/products/wizard

Runtime Analysis

 * Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

Binary Analysis

 * BugScam - http://sourceforge.net/projects/bugscam
 * BugScan - http://www.hbgary.com

Requirements Management

 * Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

Site Mirroring
 * wget - http://www.gnu.org/software/wget
 * curl - http://curl.haxx.se