Port Scanners
- Nmap – general port scanner
Vulnerability Scanners
- Nikto and Wikto – web server vulnerability checkers
- Nessus – general purpose vulnerability checker
- WebInspect – web application vulnerability scanner
- Absinthe – SQL injection testing tool
Information Gathering Tools
- SpiderFoot – footprinting tool
- wget – site duplication tool
- Offline Explorer – site duplication tool
- WinHTTrack – site mirroring tool
Web Proxy Tools
- Paros – local proxy and data manipulation tool
- Spike proxy – proxy and data manipulation tool
- Fiddler – proxy and data manipulation tool
- Web View / Syntax View / Timeline – Fiddler extension
- Burp Suite – proxy and data manipulation tool
- POSTHook – IE plugin to manipulate POST data
- TamperIE – IE plugin to manipulate GET and POST data
- Webproxy – proxy and data manipulation tool
- Webscarab – proxy and data manipulation tool
Browser Tools
- IE, Chrome, Firefox, Opera – browsers
- Mozilla Web Developer Toolbar – browser tool
- IE Developer Toolbar – browser tool
- Mozilla IE Tab Plugin – browser tool
- Firefox Tools
- HackBar – encoders/decoders
- Web Developer Toolbar – modify objects in web pages
- Tamper Data – manipulate HTTP data and headers
- Firebug – modify HTML, Java, and CSS in the browser
- Grease Monkey – add user defined JavaScript to a web page
- Switch Proxy – allows easy switching of web proxies
- FoxyProxy – regex based smart proxy selector
- Edit Cookies – cookie editor
- XSS-Me – cross site scripting tool
- SQL Inject Me – SQL injection testing tool
- CookieSwap – cookie editor
- RoboForm – caching form data for testing
Cookies / Session Manipulation Tools
- Cookie Pal – Cookie capture and viewing tool
- CookieSpy – Cookie manipulation plugin for IE
- IESpy – Cookie manipulation plugin for IE
HTTP Request Generation Tools
- netcat – raw packet generation tool
- wfetch – raw HTTP request generation tool
SSL Proxy Tools
- openssl – SSL programming toolkit
- stunnel – SSL proxy tool
Password Guessing Tools
- Brutus – multi-purpose password brute forcer
- Webcracker – HTTP authentication brute forcer
- Hydra – Brute force password guessing tool for HTTP, FTP, etc
Decompiles
- JAD/Jode – Java decompiler
- Reflector – .NET decompiler
- Reflexil – Add-in for Reflector used to modify decompiled .NET code
- FileDisassembler – Add-in for Reflector to export .NET code to Visual Studio
Miscellaneous
- fpipe – traffic redirector
- lynx – text browser
- curl – web client tool
- Dave Proxy – proxy tool used for thick client applications
- Dave – WebDAV tool
- Cadaver – WebDAV tool
- SSLDigger – SSL cipher strength checker
- THCSSLCheck – SSL cipher strength checker
- Perl, Python – coding tools for custom scripts
- Twill – scripting language for web browsing