[Owasp-cincinnati] OPEN SOURCE TESTING TOOLS
Marco M. Morana
marco.m.morana at gmail.com
Sat Feb 28 11:45:59 EST 2009
this (*) is a follow up on Gudla's request for open source tools resources, after the last meeting.
The list comes from the OWASP testing guide.
OPEN SOURCE BLACK BOX TESTING TOOLS
. OWASP WebScarab
. OWASP CAL9000: CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing
efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing
Checklist, Automated Attack Editor and much more.
. OWASP Pantera Web Assessment Studio Project
. SPIKE - http://www.immunitysec.com
. Paros - http://www.parosproxy.org
. Burp Proxy - http://www.portswigger.net
. Achilles Proxy - http://www.mavensecurity.com/achilles
. Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
. Webstretch Proxy - http://sourceforge.net/projects/webstretch
. Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
. Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
. Grendel-Scan - http://www.grendel-scan.com
TESTING FOR SPECIFIC VULNERABILITIES
. OWASP SWFIntruder - http://www.owasp.org/index.php/Category:SWFIntruder,
. OWASP Sprajax Project
Testing for SQL Injection
. OWASP SQLiX
. Multiple DBMS SQL Injection tool - SQL Power Injector
. MySQL Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
. Antonio Parata: Dump Files by SQL inference on Mysql - [SqlDumper]
. Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
. Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
. Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
. SQLInjector - http://www.databasesecurity.com/sql-injector.htm
. bsqlbf-1.2-th - http://www.514.es
. TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
. Toad for Oracle - http://www.quest.com/toad
. Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
Testing for Brute Force Password
. THC Hydra - http://www.thc.org/thc-hydra/
. John the Ripper - http://www.openwall.com/john/
. Brutus - http://www.hoobie.net/brutus/
. Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
Testing for HTTP Methods
. NetCat - http://www.vulnwatch.org/netcat
Testing Buffer Overflow
. OllyDbg - http://www.ollydbg.de
o "A windows based debugger used for analyzing buffer overflow vulnerabilities"
. Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
o A fuzzer framework that can be used to explore vulnerabilities and perform length testing
. Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
o A proactive binary checker
. Metasploit - http://www.metasploit.com/projects/Framework/
o A rapid exploit development and Testing frame work
. Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm
SOURCE CODE ANALYZERS - OPEN SOURCE / FREEWARE
. OWASP LAPSE
. PMD - http://pmd.sourceforge.net/
. FlawFinder - http://www.dwheeler.com/flawfinder
. Microsoft's FxCop
. Splint - http://splint.org
OWASP Testing Guide v3.0
. Boon - http://www.cs.berkeley.edu/~daw/boon
. Pscan - http://www.striker.ottawa.on.ca/~aland/pscan
. FindBugs - http://findbugs.sourceforge.net
ACCEPTANCE TESTING TOOLS - OPEN SOURCE
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and
typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to
perform security specific tests in addition to functional tests.
. WATIR - http://wtr.rubyforge.org
o A Ruby-based web testing framework that provides an interface into Internet Explorer.
o Windows only.
. HtmlUnit - http://htmlunit.sourceforge.net
o A Java and JUnit based framework that uses the Apache HttpClient as the transport.
o Very robust and configurable and is used as the engine for a number of other testing tools.
. jWebUnit - http://jwebunit.sourceforge.net
o A Java based meta-framework that uses htmlunit or selenium as the testing engine.
. Canoo Webtest - http://webtest.canoo.com
o An XML based testing tool that provides a facade on top of htmlunit.
o No coding is necessary as the tests are completely specified in XML.
o There is the option of scripting some elements in Groovy if XML does not suffice.
o Very actively maintained.
. HttpUnit - http://httpunit.sourceforge.net
o One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a
bit limiting for security testing.
. Watij - http://watij.com
o A Java implementation of WATIR.
o Windows only because it uses IE for its tests (Mozilla integration is in the works).
. Solex - http://solex.sourceforge.net
o An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
. Selenium - http://www.openqa.org/selenium/
----- Original Message -----
From: Gudla, Veena
To: marco.m.morana at gmail.com
Sent: Tuesday, February 24, 2009 11:39 AM
I will be attending tomorrow's OWASP meeting.
Software Engineer - Direct Sales
gudlav at cintas.com
This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-cincinnati