1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
213 214<br />
Appendix<br />
Appendix<br />
kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US<br />
• Request Maker is a tool for penetration testing. With it you can easily<br />
capture requests made by web pages, tamper with the URL, headers<br />
and POST data and, of course, make new requests<br />
Cookie Editor - https:/chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US<br />
• Edit This Cookie is a cookie manager. You can add, delete, edit, search,<br />
protect and block cookies<br />
Cookie swap - https:/chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US<br />
• Swap My Cookies is a session manager, it manages cookies, letting<br />
you login on any website with several different accounts.<br />
Firebug lite for Chrome”” - https:/chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench<br />
• Firebug Lite is not a substitute for Firebug, or Chrome Developer<br />
Tools. It is a tool to be used in conjunction with these tools. Firebug<br />
Lite provides the rich visual representation we are used to see in Firebug<br />
when it comes to HTML elements, DOM elements, and Box Model<br />
shading. It provides also some cool features like inspecting HTML elements<br />
with your mouse, and live editing CSS properties<br />
Session Manager”” - https:/chrome.google.com/webstore/detail/<br />
bbcnbpafconjjigibnhbfmmgdbbkcjfi<br />
• With Session Manager you can quickly save your current browser<br />
state and reload it whenever necessary. You can manage multiple<br />
sessions, rename or remove them from the session library. Each session<br />
remembers the state of the browser at its creation time, i.e the<br />
opened tabs and windows.<br />
Subgraph Vega - http:/www.subgraph.com/products.html<br />
• Vega is a free and open source scanner and testing platform to test<br />
the security of web applications. Vega can help you find and validate<br />
SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive<br />
information, and other vulnerabilities. It is written in Java, GUI<br />
based, and runs on Linux, OS X, and Windows.<br />
Testing for specific vulnerabilities<br />
Testing for DOM XSS<br />
• DOMinator Pro - https:/dominator.mindedsecurity.com<br />
Testing AJAX<br />
• OWASP Sprajax Project<br />
Testing for SQL Injection<br />
• OWASP SQLiX<br />
• Sqlninja: a SQL Server Injection & Takeover Tool - http:/sqlninja.<br />
sourceforge.net<br />
• Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http:/<br />
sqlmap.org/<br />
• Absinthe 1.1 (formerly SQLSqueal) - http:/sourceforge.net/projects/<br />
absinthe/<br />
• SQLInjector - Uses inference techniques to extract data and<br />
determine the backend database server. http:/www.databasesecurity.<br />
com/sql-injector.htm<br />
• Bsqlbf-v2: A perl script allows extraction of data from Blind SQL<br />
Injections - http:/code.google.com/p/bsqlbf-v2/<br />
• Pangolin: An automatic SQL injection penetration testing tool - http:/<br />
www.darknet.org.uk/2009/05/pangolin-automatic-sql-injectiontool/<br />
• Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper -<br />
http:/www.ruizata.com/<br />
• Multiple DBMS Sql Injection tool - SQL Power Injector - http:/www.<br />
sqlpowerinjector.com/<br />
• MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http:/<br />
packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html<br />
Testing Oracle<br />
• TNS Listener tool (Perl) - http:/www.jammed.com/%7Ejwa/hacks/<br />
security/tnscmd/tnscmd-doc.html<br />
• Toad for Oracle - http:/www.quest.com/toad<br />
Testing SSL<br />
• Foundstone SSL Digger - http:/www.mcafee.com/us/downloads/<br />
free-tools/ssldigger.aspx<br />
Testing for Brute Force Password<br />
• THC Hydra - http:/www.thc.org/thc-hydra/<br />
• John the Ripper - http:/www.openwall.com/john/<br />
• Brutus - http:/www.hoobie.net/brutus/<br />
• Medusa - http:/www.foofus.net/~jmk/medusa/medusa.html<br />
• Ncat - http:/nmap.org/ncat/<br />
Testing Buffer Overflow<br />
OllyDbg - http:/www.ollydbg.de<br />
• “A windows based debugger used for analyzing buffer overflow<br />
vulnerabilities”<br />
Spike - http:/www.immunitysec.com/downloads/SPIKE2.9.tgz<br />
• A fuzzer framework that can be used to explore vulnerabilities and<br />
perform length testing<br />
Brute Force Binary Tester (BFB) - http:/bfbtester.sourceforge.net<br />
• A proactive binary checker<br />
Metasploit - http:/www.metasploit.com/<br />
• A rapid exploit development and Testing frame work<br />
Fuzzer<br />
• OWASP WSFuzzer<br />
• Wfuzz - http:/www.darknet.org.uk/2007/07/wfuzz-a-tool-forbruteforcingfuzzing-web-applications/<br />
Googling<br />
• Stach & Liu’s Google Hacking Diggity Project - http:/www.stachliu.<br />
com/resources/tools/google-hacking-diggity-project/<br />
• Foundstone Sitedigger (Google cached fault-finding) - http:/www.<br />
mcafee.com/us/downloads/free-tools/sitedigger.aspx<br />
Commercial Black Box Testing tools<br />
• NGS Typhon III - http:/www.nccgroup.com/en/our-services/<br />
security-testing-audit-compliance/information-security-software/<br />
ngs-typhon-iii/<br />
• NGSSQuirreL - http:/www.nccgroup.com/en/our-services/securitytesting-audit-compliance/information-security-software/ngssquirrel-vulnerability-scanners/<br />
• IBM AppScan - http:/www-01.ibm.com/software/awdtools/<br />
appscan/<br />
• Cenzic Hailstorm - http:/www.cenzic.com/products_services/<br />
cenzic_hailstorm.php<br />
• Burp Intruder - http:/www.portswigger.net/burp/intruder.html<br />
• Acunetix Web Vulnerability Scanner - http:/www.acunetix.com<br />
• Sleuth - http:/www.sandsprite.com<br />
• NT Objectives NTOSpider - http:/www.ntobjectives.com/products/<br />
ntospider.php<br />
• MaxPatrol Security Scanner - http:/www.maxpatrol.com<br />
• Ecyware GreenBlue Inspector - http:/www.ecyware.com<br />
• Parasoft SOAtest (more QA-type tool) - http:/www.parasoft.com/<br />
jsp/products/soatest.jsp?itemId=101<br />
• MatriXay - http:/www.dbappsecurity.com/webscan.html<br />
• N-Stalker Web Application Security Scanner - http:/www.nstalker.<br />
com<br />
• HP WebInspect - http:/www.hpenterprisesecurity.com/products/<br />
hp-fortify-software-security-center/hp-webinspect<br />
• SoapUI (Web Service security testing) - http:/www.soapui.org/<br />
Security/getting-started.html<br />
• Netsparker - http:/www.mavitunasecurity.com/netsparker/<br />
• SAINT - http:/www.saintcorporation.com/<br />
• QualysGuard WAS - http:/www.qualys.com/enterprises/<br />
qualysguard/web-application-scanning/<br />
• Retina Web - http:/www.eeye.com/Products/Retina/Web-<br />
Security-Scanner.aspx<br />
• Cenzic Hailstorm - http:/www.cenzic.com/downloads/datasheets/<br />
Cenzic-datasheet-Hailstorm-Technology.pdf<br />
Source Code Analyzers<br />
Open Source / Freeware<br />
• Owasp Orizon<br />
• OWASP LAPSE<br />
• OWASP O2 Platform<br />
• Google CodeSearchDiggity - http:/www.stachliu.com/resources/<br />
tools/google-hacking-diggity-project/attack-tools/<br />
• PMD - http:/pmd.sourceforge.net/<br />
• FlawFinder - http:/www.dwheeler.com/flawfinder<br />
• Microsoft’s FxCop<br />
• Splint - http:/splint.org<br />
• Boon - http:/www.cs.berkeley.edu/~daw/boon<br />
• FindBugs - http:/findbugs.sourceforge.net<br />
• Find Security Bugs - http:/h3xstream.github.io/find-sec-bugs/<br />
• Oedipus - http:/www.darknet.org.uk/2006/06/oedipus-opensource-web-application-security-analysis/<br />
• W3af - http:/w3af.sourceforge.net/<br />
• phpcs-security-audit - https:/github.com/Pheromone/phpcssecurity-audit<br />
Commercial<br />
• Armorize CodeSecure - http:/www.armorize.com/index.php?link_<br />
id=codesecure<br />
• Parasoft C/C++ test - http:/www.parasoft.com/jsp/products/<br />
cpptest.jsp/index.htm<br />
• Checkmarx CxSuite - http:/www.checkmarx.com<br />
• HP Fortify - http:/www.hpenterprisesecurity.com/products/hpfortify-software-security-center/hp-fortify-static-code-analyzer<br />
• GrammaTech - http:/www.grammatech.com<br />
• ITS4 - http:/seclab.cs.ucdavis.edu/projects/testing/tools/its4.html<br />
• Appscan - http:/www-01.ibm.com/software/rational/products/<br />
appscan/source/<br />
• ParaSoft - http:/www.parasoft.com<br />
• Virtual Forge CodeProfiler for ABAP - http:/www.virtualforge.de<br />
• Veracode - http:/www.veracode.com<br />
• Armorize CodeSecure - http:/www.armorize.com/codesecure/<br />
Acceptance Testing Tools<br />
Acceptance testing tools are used to validate the functionality of web<br />
applications. Some follow a scripted approach and typically make use<br />
of a Unit Testing framework to construct test suites and test cases.<br />
Most, if not all, can be adapted to perform security specific tests in<br />
addition to functional tests.<br />
Open Source Tools<br />
• WATIR - http:/wtr.rubyforge.org<br />
• A Ruby based web testing framework that provides an interface into<br />
Internet Explorer.<br />
• Windows only.<br />
• HtmlUnit - http:/htmlunit.sourceforge.net<br />
• A Java and JUnit based framework that uses the Apache HttpClient<br />
as the transport.<br />
• Very robust and configurable and is used as the engine for a number<br />
of other testing tools.<br />
• jWebUnit - http:/jwebunit.sourceforge.net<br />
• A Java based meta-framework that uses htmlunit or selenium as the<br />
testing engine.<br />
• Canoo Webtest - http:/webtest.canoo.com<br />
• An XML based testing tool that provides a facade on top of htmlunit.<br />
• No coding is necessary as the tests are completely specified in XML.<br />
• There is the option of scripting some elements in Groovy if XML does<br />
not suffice.<br />
• Very actively maintained.<br />
• HttpUnit - http:/httpunit.sourceforge.net<br />
• One of the first web testing frameworks, suffers from using the<br />
native JDK provided HTTP transport, which can be a bit limiting for<br />
security testing.<br />
• Watij - http:/watij.com<br />
• A Java implementation of WATIR.<br />
• Windows only because it uses IE for its tests (Mozilla integration is<br />
in the works).<br />
• Solex - http:/solex.sourceforge.net<br />
• An Eclipse plugin that provides a graphical tool to record HTTP<br />
sessions and make assertions based on the results.<br />
• Selenium - http:/seleniumhq.org/<br />
• JavaScript based testing framework, cross-platform and provides a<br />
GUI for creating tests.<br />
• Mature and popular tool, but the use of JavaScript could hamper<br />
certain security tests.<br />
Other Tools<br />
Runtime Analysis<br />
• Rational PurifyPlus - http:/www-01.ibm.com/software/awdtools/<br />
purify/<br />
• Seeker by Quotium - http:/www.quotium.com/prod/security.php<br />
Binary Analysis<br />
• BugScam IDC Package - http:/sourceforge.net/projects/bugscam<br />
• Veracode - http:/www.veracode.com<br />
Requirements Management<br />
• Rational Requisite Pro - http:/www-306.ibm.com/software/<br />
awdtools/reqpro<br />
Site Mirroring<br />
• wget - http:/www.gnu.org/software/wget, http:/www.interlog.<br />
com/~tcharron/wgetwin.html<br />
• curl - http:/curl.haxx.se<br />
• Sam Spade - http:/www.samspade.org<br />
• Xenu’s Link Sleuth - http:/home.snafu.de/tilman/xenulink.html<br />
OWASP Testing Guide Appendix B:<br />
Suggested Reading<br />
Whitepapers<br />
• The Economic Impacts of Inadequate Infrastructure for Software