Mads Rasmussen mads at
Thu Dec 5 14:44:29 EST 2002

Hi David,

Here is a text for a description of our toolbag for testing web
applications, it still needs improvement

I will send it again included in the openOffice document as appendix, I
have some figures for the methodology as well, maybe tomorrow :)


Appendix II - Toolbag 

1 - Test Tools
The following items are part of the toolbag for tests of web
applications. New tools can be added depending on needs according to the
toolbag updating methodology.
The items are divided into references, company, tool and if the license
is commercial.
1.1. Assessment tools
These tools are used to map the architecture of the application to be
tested as well as its environment, scanning the hierarchy of available
resources at the web server, examining the contents, returning and
reporting where problems might be.
Virtual users could be used to to simulate use of the site.
Some tools listed will suggest solutions to encountered vulnerabilities.
1.1.1.  AtStake        WAP Assessment Tool
1.1.2.  AtStake        WebProxy
1.1.3.  ISECOM        AssTool
1.1.4.  OSSTM         Metis
1.1.5.  eEye            Retina (comercial)
1.1.6.  ParaSoft       WebKing Box Testing (commercial)
1.2. Fuzzing
These tools are used to realize attacks based on variations in requests
(random data)
1.2.1.  AtStake        Fuzzer
1.2.2.  AtStake        Fuzzer Server
1.3. Authentication
Dictionary attacks + variations and brute force at logins and passwords
1.3.1.  OpenSource            Brutus
1.3.2.  Immunity Security    SPIKE
1.4. Cookie and HTTP Manipulation
Man in the middle attacks modifying the messages sent between the client
and the server
1.4.1.  Paessler                 IE Booster (comercial)
1.4.2.  AtStake                  Achilles
1.5. CGI Tests
1.5.1.  OpenSource            Nessus (CGI module)
1.5.2.  OpenSource            Whisker
 1.6. Stress Tests
Discover pages that loads slowly and where to encounter high traffic
 1.6.1.  Paessler                 WebStress (comercial)
1.6.2.  ParaSoft                 WebKing Load Testing
1.7.Code Analysis
These tools are used to identify bad progamming techniques in various
languages (s.a. Java, C/C++, Perl, PHP, Python etc).in case of white box
In case of Black/Gray box testing, the functionality of the application
is tested based on random inputs, pre and popst conditions, verification
of time limited values. The format of input, buffer overflow, TOCTOU
(Time of Check, Time of Use), race conditions etc.
1.7.1.  AtStake                  Feszer
1.7.2.  David Wheeler         FlawFinder
1.7.3.  Reliable Software     ITS4
1.7.4.  ISECOM                  Rats
1.7.5.  University Virginia     Splint
1.7.6.  Parasoft                 JTest/C++Test
1.7.7.  Gerald Combos         Ethereal
1.7.8.  DeCafe Software      DeCafe
1.8. Session Auditing
 1.8.1.  iDefense                 Session Auditor
1.8.2.                              SPIKE
 1.9. J2EE
 1.9.1.  AdventNet              QEngine
 1.10. Tools for Training
These tools are used for training the skills needed to attack web
application as well as to test new tools.

1.10.1.         OWASP         WebGoat
1.10.2.         OWASP         WebMaven Buggy Bank


Mads Rasmussen
Open Communications Security

> -----Mensagem original-----
> De: David Endler [mailto:DEndler at]
> Enviada em: terça-feira, 3 de dezembro de 2002 15:52
> Para: 'owasp-testing at'
> Assunto: [OWASP-TESTING] Peer Review!
> OK folks, here it is, the latest and greatest version of the OWASP
> Methodology: .
> Please take some time to rip into it and get me your document copy
> edits by Monday December 9th.  No section is out of bounds, please
> free
> to add, delete, or modify content, structure, graphics, and
> To edit this document, download OpenOffice from
> Make sure you enter your name in the installation for editing
> After you open the document, please click on
> Edit->Changes->Record and
> Edit->Changes->Show
> and edit away! Thanks again for your efforts and contributions so far
> this project.  There are many people in industry anxiously awaiting
> first cut at this, believe it or not, and there has become a small
> surrounding this project.  This document is also going to be well
> integrated
> with the webgoat project so that real live examples can be illustrated
> testing techniques.  Please make the effort to provide meaningful
> and edits by Monday, thanks.  Please email me with any questions or
> technical difficulties.
> -dave
> -------------------------------------------------------
> This email is sponsored by: Microsoft Visual Studio.NET
> comprehensive development tool, built to increase your
> productivity. Try a free online hosted session at:
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at

More information about the Owasp-testing mailing list