Difference between revisions of "Appendix A: Testing Tools"

From OWASP
Jump to: navigation, search
(43 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
+
{{Template:OWASP Testing Guide v4}}
  
 
==Open Source Black Box Testing tools==
 
==Open Source Black Box Testing tools==
Line 6: Line 6:
  
 
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
 
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
 +
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
 
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
 
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
 
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
 
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
 
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
 
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
 
*  '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
 
*  '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
* SPIKE - http://www.immunitysec.com
+
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* Paros - http://www.parosproxy.org
+
* '''[[:OWASP Zed Attack Proxy Project]]'''
* Burp Proxy - http://www.portswigger.net
+
** The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
* Achilles Proxy - http://www.mavensecurity.com/achilles
+
** ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
+
* '''[[:OWASP Mantra - Security Framework]]'''
* Webstretch Proxy - http://sourceforge.net/projects/webstretch
+
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh, in addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
+
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
* Grendel-Scan - http://www.grendel-scan.com
+
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* [[:Category:SWFIntruder|OWASP SWFIntruder]]
+
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
* http://www.mindedsecurity.com/swfintruder.html
+
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP/S traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
 +
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
 +
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
 +
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
 +
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
 +
*  '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
 +
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
 +
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
 +
** View HTTP headers of a page and while browsing.
 +
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
 +
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
 +
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
 +
** The Web Developer extension adds various web developer tools to the browser.
 +
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
 +
**  DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
 +
* '''Firefox Firebug''' - http://getfirebug.com/
 +
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
 +
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
 +
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
 +
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
 +
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
 +
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
 +
** Flash decompiler
 +
*  '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
 +
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
 +
* '''w3af''' - http://w3af.org
 +
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
 +
* '''skipfish''' - http://code.google.com/p/skipfish/
 +
** Skipfish is an active web application security reconnaissance tool.
  
  
[[Category:FIXME| link not working
+
=== Testing for specific vulnerabilities ===
  
* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
+
==== Testing for DOM XSS ====
 
+
* DOMinator Pro - https://dominator.mindedsecurity.com
 
+
]]
+
 
+
=== Testing for specific vulnerabilities ===
+
  
 
==== Testing AJAX ====
 
==== Testing AJAX ====
Line 36: Line 61:
 
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
 
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
 
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
 
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net
+
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
+
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm
+
* SQLInjector - Uses inference techniques to extract data and determine the backend database server.  http://www.databasesecurity.com/sql-injector.htm
* bsqlbf-1.2-th - http://www.514.es
+
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
 +
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
 +
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
 +
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
 +
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html
  
  
[[Category:FIXME|link not working
 
  
* Multiple DBMS Sql Injection tool - SQL Power Injector
 
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools
 
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper
 
 
 
]]
 
  
 
==== Testing Oracle ====
 
==== Testing Oracle ====
Line 55: Line 77:
 
* Toad for Oracle - http://www.quest.com/toad  
 
* Toad for Oracle - http://www.quest.com/toad  
 
==== Testing SSL ====
 
==== Testing SSL ====
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
+
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
 
==== Testing for Brute Force Password ====
 
==== Testing for Brute Force Password ====
 
* THC Hydra - http://www.thc.org/thc-hydra/
 
* THC Hydra - http://www.thc.org/thc-hydra/
Line 61: Line 83:
 
* Brutus - http://www.hoobie.net/brutus/  
 
* Brutus - http://www.hoobie.net/brutus/  
 
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
 
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
 +
*Ncat - http://nmap.org/ncat/
 +
  
[[Category:FIXME|link not working
 
==== Testing for HTTP Methods ====
 
* NetCat - http://www.vulnwatch.org/netcat
 
  
]]
 
 
==== Testing Buffer Overflow ====
 
==== Testing Buffer Overflow ====
 
*  OllyDbg - http://www.ollydbg.de
 
*  OllyDbg - http://www.ollydbg.de
Line 85: Line 105:
 
==== Fuzzer  ====
 
==== Fuzzer  ====
 
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
 
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
 +
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/
  
 
==== Googling ====
 
==== Googling ====
 
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
 
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
+
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
  
 
==Commercial Black Box Testing tools==
 
==Commercial Black Box Testing tools==
  
* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
+
* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
+
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* Watchfire AppScan - http://www.watchfire.com
+
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
 
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
 
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://portswigger.net/intruder
+
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
 
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
 
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* WebSleuth - http://www.sandsprite.com
+
* Sleuth - http://www.sandsprite.com
 
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
 
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
 
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
 
 
* MaxPatrol Security Scanner - http://www.maxpatrol.com
 
* MaxPatrol Security Scanner - http://www.maxpatrol.com
 
* Ecyware GreenBlue Inspector - http://www.ecyware.com
 
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft WebKing (more QA-type tool)
+
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com
+
* MatriXay - http://www.dbappsecurity.com/webscan.html
 
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
 
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
 +
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
 +
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
 +
* Netsparker - http://www.mavitunasecurity.com/netsparker/
 +
* SAINT - http://www.saintcorporation.com/
 +
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
 +
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx
  
  
 
[[Category:FIXME|check these links
 
[[Category:FIXME|check these links
  
* Watchfire AppScan - http://www.watchfire.com
+
 
 
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
 
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
  
  
 
link broken:
 
link broken:
* SPI Dynamics WebInspect - http://www.spidynamics.com
+
 
 
* ScanDo - http://www.kavado.com
 
* ScanDo - http://www.kavado.com
  
Line 137: Line 162:
 
* Boon - http://www.cs.berkeley.edu/~daw/boon
 
* Boon - http://www.cs.berkeley.edu/~daw/boon
 
* FindBugs - http://findbugs.sourceforge.net
 
* FindBugs - http://findbugs.sourceforge.net
 +
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
 +
* W3af - http://w3af.sourceforge.net/
  
 
[[Category:FIXME|broken link
 
[[Category:FIXME|broken link
Line 148: Line 175:
  
 
* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
 
* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* CodeWizard - http://www.parasoft.com/products/wizard
+
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
 
* Checkmarx CxSuite  - http://www.checkmarx.com
 
* Checkmarx CxSuite  - http://www.checkmarx.com
* Fortify - http://www.fortifysoftware.com
+
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
 
* GrammaTech - http://www.grammatech.com
 
* GrammaTech - http://www.grammatech.com
* ITS4 - http://www.cigital.com/its4
+
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Ounce labs Prexis - http://www.ouncelabs.com
+
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
 
* ParaSoft - http://www.parasoft.com
 
* ParaSoft - http://www.parasoft.com
 
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
 
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
Line 196: Line 223:
 
* Solex - http://solex.sourceforge.net
 
* Solex - http://solex.sourceforge.net
 
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
 
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://www.openqa.org/selenium/
+
* Selenium - http://seleniumhq.org/
 
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
 
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
 
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.
 
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.
Line 204: Line 231:
 
===Runtime Analysis===
 
===Runtime Analysis===
  
*  Rational PurifyPlus - http://www-306.ibm.com/software/awdtools
+
*  Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
  
 
===Binary Analysis===
 
===Binary Analysis===
  
* BugScam - http://sourceforge.net/projects/bugscam
+
* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com
+
 
* Veracode - http://www.veracode.com
 
* Veracode - http://www.veracode.com
  
Line 220: Line 246:
 
* curl - http://curl.haxx.se  
 
* curl - http://curl.haxx.se  
 
* Sam Spade - http://www.samspade.org
 
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html
+
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html
 
+
 
+
 
+
[[Category:FIXME|check this link
+
 
+
*  Rational PurifyPlus - http://www-306.ibm.com/software/awdtools
+
 
+
 
+
]]
+

Revision as of 14:46, 19 February 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Open Source Black Box Testing tools

General Testing

  • OWASP WebScarab
    • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
  • OWASP CAL9000
    • CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
    • Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
  • OWASP Pantera Web Assessment Studio Project
    • Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
  • OWASP Zed Attack Proxy Project
    • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
    • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • OWASP Mantra - Security Framework
    • Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh, in addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
  • SPIKE - http://www.immunitysec.com/resources-freesoftware.shtml
    • SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
  • Burp Proxy - http://www.portswigger.net/Burp/
    • Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP/S traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
  • Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
    • Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
  • Webstretch Proxy - http://sourceforge.net/projects/webstretch
    • Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
  • WATOBO - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
    • WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
  • Firefox LiveHTTPHeaders - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
    • View HTTP headers of a page and while browsing.
  • Firefox Tamper Data - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
    • Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
  • Firefox Web Developer Tools - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
    • The Web Developer extension adds various web developer tools to the browser.
  • DOM Inspector - https://developer.mozilla.org/en/docs/DOM_Inspector
    • DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
  • Firefox Firebug - http://getfirebug.com/
    • Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
  • Grendel-Scan - http://securitytube-tools.net/index.php?title=Grendel_Scan
    • Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
  • OWASP SWFIntruder - http://www.mindedsecurity.com/swfintruder.html
    • SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
  • SWFScan - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
    • Flash decompiler
  • Wikto - http://www.sensepost.com/labs/tools/pentest/wikto
    • Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
  • w3af - http://w3af.org
    • w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
  • skipfish - http://code.google.com/p/skipfish/
    • Skipfish is an active web application security reconnaissance tool.


Testing for specific vulnerabilities

Testing for DOM XSS

Testing AJAX

Testing for SQL Injection



Testing Oracle

Testing SSL

Testing for Brute Force Password


Testing Buffer Overflow

Fuzzer

Googling

Commercial Black Box Testing tools

Source Code Analyzers

Open Source / Freeware

Commercial

Acceptance Testing Tools

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

Open Source Tools

  • WATIR - http://wtr.rubyforge.org
    • A Ruby based web testing framework that provides an interface into Internet Explorer.
    • Windows only.
  • HtmlUnit - http://htmlunit.sourceforge.net
    • A Java and JUnit based framework that uses the Apache HttpClient as the transport.
    • Very robust and configurable and is used as the engine for a number of other testing tools.
  • jWebUnit - http://jwebunit.sourceforge.net
    • A Java based meta-framework that uses htmlunit or selenium as the testing engine.
  • Canoo Webtest - http://webtest.canoo.com
    • An XML based testing tool that provides a facade on top of htmlunit.
    • No coding is necessary as the tests are completely specified in XML.
    • There is the option of scripting some elements in Groovy if XML does not suffice.
    • Very actively maintained.
  • HttpUnit - http://httpunit.sourceforge.net
    • One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
  • Watij - http://watij.com
    • A Java implementation of WATIR.
    • Windows only because it uses IE for its tests (Mozilla integration is in the works).
  • Solex - http://solex.sourceforge.net
    • An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
  • Selenium - http://seleniumhq.org/
    • JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
    • Mature and popular tool, but the use of JavaScript could hamper certain security tests.

Other Tools

Runtime Analysis

Binary Analysis

Requirements Management

Site Mirroring