Some Free Web App Security Testing Tools & Resources

Thursday, June 11, 2009

We went over some of these tools at the latest North Carolina OWASP Meeting, so I thought I’d make this list available here. Enjoy!

Proxy Servers:

WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
Burp: http://www.portswigger.net/suite/download.html
Paros: http://www.parosproxy.org/download.shtml

Firefox Plugins:
Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966
NoScript: http://noscript.net/getit
ShowIP: https://addons.mozilla.org/en-US/firefox/addon/590
SwitchProxy: https://addons.mozilla.org/en-US/firefox/addon/125
SQL Inject Me: https://addons.mozilla.org/en-US/firefox/addon/7597
XSS Me: https://addons.mozilla.org/en-US/firefox/addon/7598
ViewStatePeeker: https://addons.mozilla.org/en-US/firefox/addon/7167

Many of these are included in a single plugin distribution here: https://addons.mozilla.org/en-US/firefox/collection/webappsec

Some SQL Injection Tools we Discussed:

SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

Test Applications that wont land you in Prison:
WebGoat: http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045
Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp (look under SASS Tools)

Some suggestions taken from RSnake over at ha.ckers.org:
* http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
* http://testasp.acunetix.com/Default.asp
* http://test.acunetix.com/
* http://hackme.ntobjectives.com/
* http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
* http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
* http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
* http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
* http://zero.webappsecurity.com/
* http://www.hackertest.net/
* http://www.hackthissite.org/
* http://www.mavensecurity.com/WebMaven.php
* http://ha.ckers.org/challenge/
* http://ha.ckers.org/challenge2/
* http://demo.testfire.net/
* http://scanme.nmap.org/
* http://www.hellboundhackers.org/
* http://www.overthewire.org/wargames/
* http://roothack.org/
* http://heorot.net/
* http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
* http://wocares.com/xsstester.php
* https://how2hack.net
* http://hax.tor.hu/

Possibly Related Articles:
3587
Webappsec->General
OWASP
Post Rating I Like this!