Appendix A: Testing Tools

General Testing

 * OWASP WebScarab
 * OWASP CAL9000
 * CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
 * Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
 * OWASP Pantera Web Assessment Studio Project
 * SPIKE - http://www.immunitysec.com/resources-freesoftware.shtml
 * Paros - http://www.parosproxy.org
 * ZAP - http://code.google.com/p/zaproxy/downloads/list
 * Burp Proxy - http://www.portswigger.net/Burp/
 * Achilles Proxy - http://www.mavensecurity.com/achilles
 * Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
 * Webstretch Proxy - http://sourceforge.net/projects/webstretch
 * Firefox LiveHTTPHeaders - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
 * Firefox Tamper Data - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
 * Firefox Web Developer Tools - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
 * Firefox Firebug - http://getfirebug.com/
 * Grendel-Scan - http://securitytube-tools.net/index.php?title=Grendel_Scan
 * OWASP SWFIntruder - http://www.mindedsecurity.com/swfintruder.html
 * Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/labs/tools/pentest/wikto
 * w3af - http://w3af.org
 * skipfish - http://code.google.com/p/skipfish/

Testing for DOM XSS

 * DOMinator Pro - https://dominator.mindedsecurity.com

Testing AJAX

 * OWASP Sprajax Project

Testing for SQL Injection

 * OWASP SQLiX
 * Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
 * Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
 * Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
 * SQLInjector - http://www.databasesecurity.com/sql-injector.htm
 * Bsqlbf-v2 - http://code.google.com/p/bsqlbf-v2/
 * Pangolin - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
 * Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
 * Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
 * MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

Testing Oracle

 * TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
 * Toad for Oracle - http://www.quest.com/toad

Testing SSL

 * Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx

Testing for Brute Force Password

 * THC Hydra - http://www.thc.org/thc-hydra/
 * John the Ripper - http://www.openwall.com/john/
 * Brutus - http://www.hoobie.net/brutus/
 * Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
 * Ncat - http://nmap.org/ncat/

Testing Buffer Overflow

 * OllyDbg - http://www.ollydbg.de
 * "A windows based debugger used for analyzing buffer overflow vulnerabilities"
 * Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
 * A fuzzer framework that can be used to explore vulnerabilities and perform length testing
 * Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
 * A proactive binary checker

[[Category:FIXME|link not working


 * Metasploit - http://www.metasploit.com/projects/Framework/
 * A rapid exploit development and Testing frame work

]]

Fuzzer

 * OWASP WSFuzzer
 * Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

Googling

 * Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
 * Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

Commercial Black Box Testing tools

 * NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
 * NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
 * IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
 * Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
 * Burp Intruder - http://www.portswigger.net/burp/intruder.html
 * Acunetix Web Vulnerability Scanner - http://www.acunetix.com
 * Sleuth - http://www.sandsprite.com
 * NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
 * MaxPatrol Security Scanner - http://www.maxpatrol.com
 * Ecyware GreenBlue Inspector - http://www.ecyware.com
 * Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
 * MatriXay - http://www.dbappsecurity.com/webscan.html
 * N-Stalker Web Application Security Scanner - http://www.nstalker.com
 * HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
 * SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
 * Netsparker - http://www.mavitunasecurity.com/netsparker/
 * SAINT - http://www.saintcorporation.com/

[[Category:FIXME|check these links


 * Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:


 * ScanDo - http://www.kavado.com

]]

Open Source / Freeware

 * Owasp Orizon
 * OWASP LAPSE
 * OWASP O2 Platform
 * Google CodeSearchDiggity - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
 * PMD - http://pmd.sourceforge.net/
 * FlawFinder - http://www.dwheeler.com/flawfinder
 * Microsoft’s FxCop
 * Splint - http://splint.org
 * Boon - http://www.cs.berkeley.edu/~daw/boon
 * FindBugs - http://findbugs.sourceforge.net
 * Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
 * W3af - http://w3af.sourceforge.net/

[[Category:FIXME|broken link


 * Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

Commercial

 * Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
 * Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
 * Checkmarx CxSuite - http://www.checkmarx.com
 * HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
 * GrammaTech - http://www.grammatech.com
 * ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
 * Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
 * ParaSoft - http://www.parasoft.com
 * Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
 * Veracode - http://www.veracode.com

[[Category:FIXME|link not working


 * Armorize CodeSecure - http://www.armorize.com/product/

]]

Acceptance Testing Tools
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

 * WATIR - http://wtr.rubyforge.org
 * A Ruby based web testing framework that provides an interface into Internet Explorer.
 * Windows only.
 * HtmlUnit - http://htmlunit.sourceforge.net
 * A Java and JUnit based framework that uses the Apache HttpClient as the transport.
 * Very robust and configurable and is used as the engine for a number of other testing tools.
 * jWebUnit - http://jwebunit.sourceforge.net
 * A Java based meta-framework that uses htmlunit or selenium as the testing engine.
 * Canoo Webtest - http://webtest.canoo.com
 * An XML based testing tool that provides a facade on top of htmlunit.
 * No coding is necessary as the tests are completely specified in XML.
 * There is the option of scripting some elements in Groovy if XML does not suffice.
 * Very actively maintained.
 * HttpUnit - http://httpunit.sourceforge.net
 * One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
 * Watij - http://watij.com
 * A Java implementation of WATIR.
 * Windows only because it uses IE for its tests (Mozilla integration is in the works).
 * Solex - http://solex.sourceforge.net
 * An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
 * Selenium - http://seleniumhq.org/
 * JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
 * Mature and popular tool, but the use of JavaScript could hamper certain security tests.

Runtime Analysis

 * Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/

Binary Analysis

 * BugScam IDC Package - http://sourceforge.net/projects/bugscam
 * Veracode - http://www.veracode.com

Requirements Management

 * Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

Site Mirroring

 * wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
 * curl - http://curl.haxx.se
 * Sam Spade - http://www.samspade.org
 * Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html