[OWASP-TESTING] Peer Review!
tomgal at Exchange.Microsoft.com
Thu Dec 5 16:00:22 EST 2002
Achilles isn't made by @Stake. I downloaded it from http://www.digizen-security.com, but that web site seems to display gibberish now.
There are also other tools I can think of that aren't designed for security testing but are really useful. For example, have you have tried using SQL Profiler to find SQL injection bugs? It is really helpful.
Not sure if you want to include these types of tools or not.
Tom Gallagher <tomgal at microsoft.com>
Office QnS Security Team
From: Mads Rasmussen [mailto:mads at opencs.com.br]
Sent: Thursday, December 05, 2002 11:44 AM
To: David Endler
Cc: owasp-testing at lists.sourceforge.net
Here is a text for a description of our toolbag for testing web
applications, it still needs improvement
I will send it again included in the openOffice document as appendix, I
have some figures for the methodology as well, maybe tomorrow :)
Appendix II - Toolbag
1 - Test Tools
The following items are part of the toolbag for tests of web
applications. New tools can be added depending on needs according to the
toolbag updating methodology.
The items are divided into references, company, tool and if the license
1.1. Assessment tools
These tools are used to map the architecture of the application to be
tested as well as its environment, scanning the hierarchy of available
resources at the web server, examining the contents, returning and
reporting where problems might be.
Virtual users could be used to to simulate use of the site.
Some tools listed will suggest solutions to encountered vulnerabilities.
1.1.1. AtStake WAP Assessment Tool
1.1.2. AtStake WebProxy
1.1.3. ISECOM AssTool
1.1.4. OSSTM Metis
1.1.5. eEye Retina (comercial)
1.1.6. ParaSoft WebKing Box Testing (commercial)
These tools are used to realize attacks based on variations in requests
1.2.1. AtStake Fuzzer
1.2.2. AtStake Fuzzer Server
Dictionary attacks + variations and brute force at logins and passwords
1.3.1. OpenSource Brutus
1.3.2. Immunity Security SPIKE
1.4. Cookie and HTTP Manipulation
Man in the middle attacks modifying the messages sent between the client
and the server
1.4.1. Paessler IE Booster (comercial)
1.4.2. AtStake Achilles
1.5. CGI Tests
1.5.1. OpenSource Nessus (CGI module)
1.5.2. OpenSource Whisker
1.6. Stress Tests
Discover pages that loads slowly and where to encounter high traffic
1.6.1. Paessler WebStress (comercial)
1.6.2. ParaSoft WebKing Load Testing
These tools are used to identify bad progamming techniques in various
languages (s.a. Java, C/C++, Perl, PHP, Python etc).in case of white box
In case of Black/Gray box testing, the functionality of the application
is tested based on random inputs, pre and popst conditions, verification
of time limited values. The format of input, buffer overflow, TOCTOU
(Time of Check, Time of Use), race conditions etc.
1.7.1. AtStake Feszer
1.7.2. David Wheeler FlawFinder
1.7.3. Reliable Software ITS4
1.7.4. ISECOM Rats
1.7.5. University Virginia Splint
1.7.6. Parasoft JTest/C++Test
1.7.7. Gerald Combos Ethereal
1.7.8. DeCafe Software DeCafe
1.8. Session Auditing
1.8.1. iDefense Session Auditor
1.9.1. AdventNet QEngine
1.10. Tools for Training
These tools are used for training the skills needed to attack web
application as well as to test new tools.
1.10.1. OWASP WebGoat
1.10.2. OWASP WebMaven Buggy Bank
Open Communications Security
> -----Mensagem original-----
> De: David Endler [mailto:DEndler at iDefense.com]
> Enviada em: terça-feira, 3 de dezembro de 2002 15:52
> Para: 'owasp-testing at lists.sourceforge.net'
> Assunto: [OWASP-TESTING] Peer Review!
> OK folks, here it is, the latest and greatest version of the OWASP
> Methodology: http://www.owasp.org/testing/TestingPeerReview0.6.sxw .
> Please take some time to rip into it and get me your document copy
> edits by Monday December 9th. No section is out of bounds, please
> to add, delete, or modify content, structure, graphics, and
> To edit this document, download OpenOffice from
> Make sure you enter your name in the installation for editing
> After you open the document, please click on
> Edit->Changes->Record and
> and edit away! Thanks again for your efforts and contributions so far
> this project. There are many people in industry anxiously awaiting
> first cut at this, believe it or not, and there has become a small
> surrounding this project. This document is also going to be well
> with the webgoat project so that real live examples can be illustrated
> testing techniques. Please make the effort to provide meaningful
> and edits by Monday, thanks. Please email me with any questions or
> technical difficulties.
> This SF.net email is sponsored by: Microsoft Visual Studio.NET
> comprehensive development tool, built to increase your
> productivity. Try a free online hosted session at:
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
More information about the Owasp-testing