Phoenix/Tools

Please send comments or questions to the Phoenix-OWASP mailing-list.  LiveCDs Monday, January 29, 2007 4:02 PM    828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/  Test Sites SPI Dynamics (live) - http://zero.webappsecurity.com/ Cenzic (live) - http://crackme.cenzic.com/ Watchfire (live) - http://demo.testfire.net/ Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator  HTTP proxying / editing<br/ > WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br/ > Burp - http://www.portswigger.net/<br/ > Paros - http://www.parosproxy.org/<br/ > Fiddler - http://www.fiddlertool.com/<br/ > Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br/ > Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br/ > Suru - http://www.sensepost.com/research/suru/<br/ > httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br/ > Charles - http://www.xk72.com/charles/<br/ > Odysseus - http://www.bindshell.net/tools/odysseus<br/ > Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br/ > Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br/ > <br/ > RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools<br/ > Wfuzz - http://www.edge-security.com/wfuzz.php<br/ > ProxMon - http://www.isecpartners.com/proxmon.html<br/ > Wapiti - http://wapiti.sourceforge.net/<br/ > Grabber - http://rgaucher.info/beta/grabber/<br/ > CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br/ > HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br/ > JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br/ > XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br/ > WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br/ > Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br/ > [TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br/ > screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br/ > SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br/ > RFuzz - http://rfuzz.rubyforge.org/<br/ > WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br/ > TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br/ > ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br/ > WSTool - http://wstool.sourceforge.net/<br/ > Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br/ > Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br/ > HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br/ > Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br/ > PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br/ > <br/ > HTTP general testing / fingerprinting<br/ > ht://Check - http://htcheck.sourceforge.net/<br/ > Mumsie - http://www.lurhq.com/tools/mumsie.html<br/ > WebInject - http://www.webinject.org/<br/ > Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br/ > JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br/ > OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br/ > Load-balancing detector - http://ge.mine.nu/lbd.html<br/ > HMAP - http://ujeni.murkyroc.com/hmap/<br/ > Net-Square: httprint - http://net-square.com/httprint/<br/ > Wpoison: http stress testing - http://wpoison.sourceforge.net/<br/ > Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br/ > hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br/ > rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br/ > Nikto - http://www.cirt.net/code/nikto.shtml<br/ > twill - http://twill.idyll.org/<br/ > [ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br/ > [ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br/ > <br/ > Browser-based HTTP tampering / editing<br/ > TamperIE - http://www.bayden.com/Other/<br/ > isr-form - http://www.infobyte.com.ar/developments.html<br/ > LiveHTTPHeaders (Firefox Add-on) - http://livehttpheaders.mozdev.org/<br/ > Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br/ > Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br/ > <br/ > Cookie editing / poisoning<br/ > [TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br/ > Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br/ > CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br/ > CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br/ > Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br/ > <br/ > Ajax and XHR scanning<br/ > Sahi - http://sahi.co.in/<br/ > scRUBYt - http://scrubyt.org/<br/ > jQuery - http://jquery.com/<br/ > jquery-include - http://www.gnucitizen.org/projects/jquery-include<br/ > Sprajax - http://www.denimgroup.com/sprajax.html<br/ > Watir - http://wtr.rubyforge.org/<br/ > RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br/ > SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br/ > Firebug Lite - http://www.getfirebug.com/lite.html<br/ > firewaitr - http://code.google.com/p/firewatir/<br/ > <br/ > SQL injection scanning<br/ > 0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br/ > SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br/ > sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br/ > JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br/ > BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br/ > sqlmap - http://sqlmap.sourceforge.net/<br/ > Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br/ > FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br/ > <br/ > Web application security malware, backdoors, and evil code<br/ > Jikto - http://busin3ss.name/jikto-in-the-wild/<br/ > XSS Shell - http://ferruh.mavituna.com/article/?1338<br/ > XSS-Proxy - http://xss-proxy.sourceforge.net<br/ > AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br/ > FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br/ > HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br/ > BeEF - http://www.bindshell.net/tools/beef/<br/ > Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br/ > What is my IP address? - http://reglos.de/myaddress/<br/ > xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br/ > Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br/ > Technika - http://www.gnucitizen.org/projects/technika/<br/ > Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br/ > MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br/ > <br/ > Web application services that aid in web application security assessment<br/ > Netcraft - http://www.netcraft.net<br/ > AboutURL - http://www.abouturl.com/<br/ > net.toolkit - http://clez.net/<br/ > ServerSniff - http://www.serversniff.net/<br/ > Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br/ > Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br/ > <br/ > Browser-based security fuzzing / checking<br/ > Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br/ > hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br/ > Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br/ > TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br/ > PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br/ > COMRaider - http://labs.idefense.com<br/ > bcheck - http://bcheck.scanit.be/bcheck/<br/ > Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br/ > LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br/ > BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br/ > Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br/ > Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br/ > Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br/ > Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br/ > Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br/ > Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br/ > About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br/ > Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br/ > <br/ > PHP file inclusion scanning<br/ > Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php <br/ > FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br/ > <br/ > Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources<br/ > APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br/ > PHP Intrusion Detection System (PHP-IDS) - http://code.google.com/p/phpids/<br/ > Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br/ > GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br/ > The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br/ > mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br/ > Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br/ > [TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br/ > Akismet: blog spam defense - http://akismet.com/<br/ > Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br/ > <br/ > Web services enumeration / scanning / fuzzing<br/ > WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c<br/ > Net-square: wsChess - http://net-square.com/wschess/index.shtml<br/ > WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br/ > SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br/ > iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br/ > <br/ > Web application static source-code analysis and threat-modeling<br/ > Orizon - http://sourceforge.net/projects/orizon/<br/ > Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br/ > Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br/ > Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br/ > CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br/ > ITS4 - http://www.cigital.com/its4/<br/ > FlawFinder - http://www.dwheeler.com/flawfinder/<br/ > Splint - http://www.splint.org/<br/ > Valgrind - http://www.valgrind.org/<br/ > FxCop - http://www.gotdotnet.com/team/fxcop/<br/ > RATS - http://www.securesoftware.com/resources/download_rats.html<br/ > PMD - http://pmd.sourceforge.net/<br/ > Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx<br/ > FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br/ > BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/<br/ > Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br/ > Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br/ > Octotrike - http://www.octotrike.org/<br/ > <br/ > Add-ons for Firefox that help with general web application security<br/ > Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br/ > Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br/ > XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br/ > Public Fox - https://addons.mozilla.org/firefox/3911/<br/ > XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br/ > MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br/ > Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br/ > IE Tab - https://addons.mozilla.org/firefox/1419/<br/ > User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br/ > SeverSwitcher - https://addons.mozilla.org/firefox/2409/<br/ > HeaderMonitor - https://addons.mozilla.org/firefox/575/<br/ > RefControl - https://addons.mozilla.org/firefox/953/<br/ > refspoof - https://addons.mozilla.org/firefox/667/<br/ > No-Referrer - https://addons.mozilla.org/firefox/1999/<br/ > LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br/ > SpiderZilla - http://spiderzilla.mozdev.org/<br/ > Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br/ > Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br/ > <br/ > Add-ons for Firefox that help with Javascript and Ajax web application security<br/ > Selenium IDE - http://www.openqa.org/selenium-ide/<br/ > Firebug - http://www.joehewitt.com/software/firebug/<br/ > Venkman - http://www.mozilla.org/projects/venkman/<br/ > Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br/ > Greasemonkey - http://www.greasespot.net/<br/ > Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br/ > User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br/ > RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br/ > BMlets - http://optools.awardspace.com/bmlet.html<br/ > Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br/ > <br/ > Java web application security<br/ > Checkstyle - http://checkstyle.sourceforge.net/<br/ > Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br/ > tinapoc - http://sourceforge.net/projects/tinapoc<br/ > jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br/ > Solex - http://solex.sourceforge.net/<br/ > Java Explorer - http://metal.hurlant.com/jexplore/<br/ > HTTPClient - http://www.innovation.ch/java/HTTPClient/<br/ > <br/ > SSL certificate checking / scanning<br/ > [ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br/ > [ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip<br/ > Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br/ > <br/ > Honeyclients, Web Application, and Web Proxy honeypots<br/ > HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br/ > Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br/ > Google Hack Honeypot - http://ghh.sourceforge.net/<br/ > PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br/ > SpyBye - http://www.monkey.org/~provos/spybye/<br/ > Honeytokens - http://www.securityfocus.com/infocus/1713<br/ > <br/ > Blackhat SEO and maybe some whitehat SEO<br/ > SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br/ > SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br/ > <br/ > Footprinting for web application security<br/ > Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br/ > Edge-Security tools - http://www.edge-security.com/soft.php<br/ > Fierce Domain Scanner - http://ha.ckers.org/fierce/<br/ > Googlegath - http://www.nothink.org/perl/googlegath/<br/ > Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br/ > Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br/ > BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br/ > <br/ > Database Security Assessment<br/ > Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br/ >

<br/ > Browser Defenses<br/ > DieHard - http://www.diehard-software.org/<br/ > LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br/ > NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br/ > Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br/ > FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br/ > CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br/ > NoScript (Firefox Add-on) - http://www.noscript.net/<br/ > Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br/ > httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br/ > SafeCache (Firefox Add-on) - http://www.safecache.com/<br/ > SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br/ > PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br/ > QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br/ > FireKeeper - http://firekeeper.mozdev.org/<br/ > <br/ > Browser Privacy<br/ > TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br/ > Privacy Bird - http://www.privacybird.com/<br/ > <br/ > Application and protocol fuzzing (random instead of targeted)<br/ > taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br/ > zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br/ > autodafé: an act of software torture - http://autodafe.sourceforge.net/<br/ > EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br/ >