Web Application Security Testing Tools

Port Scanners

  • Nmap – general port scanner

 Vulnerability Scanners

  • Nikto and Wikto – web server vulnerability checkers
  • Nessus – general purpose vulnerability checker
  • WebInspect – web application vulnerability scanner
  • Absinthe – SQL injection testing tool

Information Gathering Tools

  • SpiderFoot – footprinting tool
  • wget – site duplication tool
  • Offline Explorer – site duplication tool
  • WinHTTrack – site mirroring tool

Web Proxy Tools

  • Paros – local proxy and data manipulation tool
  • Spike proxy – proxy and data manipulation tool
  • Fiddler – proxy and data manipulation tool
  • Web View / Syntax View / Timeline – Fiddler extension
  • Burp Suite – proxy and data manipulation tool
  • POSTHook – IE plugin to manipulate POST data
  • TamperIE – IE plugin to manipulate GET and POST data
  • Webproxy – proxy and data manipulation tool
  • Webscarab – proxy and data manipulation tool

Browser Tools

  • IE, Chrome, Firefox, Opera – browsers
  • Mozilla Web Developer Toolbar – browser tool
  • IE Developer Toolbar – browser tool
  • Mozilla IE Tab Plugin – browser tool
  • Firefox Tools
  • HackBar – encoders/decoders
  • Web Developer Toolbar – modify objects in web pages
  • Tamper Data – manipulate HTTP data and headers
  • Firebug – modify HTML, Java, and CSS in the browser
  • Grease Monkey – add user defined JavaScript to a web page
  • Switch Proxy – allows easy switching of web proxies
  • FoxyProxy – regex based smart proxy selector
  • Edit Cookies – cookie editor
  • XSS-Me – cross site scripting tool
  • SQL Inject Me – SQL injection testing tool
  • CookieSwap – cookie editor
  • RoboForm – caching form data for testing

Cookies / Session Manipulation Tools

  • Cookie Pal – Cookie capture and viewing tool
  • CookieSpy – Cookie manipulation plugin for IE
  • IESpy – Cookie manipulation plugin for IE

HTTP Request Generation Tools

  • netcat – raw packet generation tool
  • wfetch – raw HTTP request generation tool

SSL Proxy Tools

  • openssl – SSL programming toolkit
  • stunnel – SSL proxy tool

Password Guessing Tools

  • Brutus – multi-purpose password brute forcer
  • Webcracker – HTTP authentication brute forcer
  • Hydra – Brute force password guessing tool for HTTP, FTP, etc

Decompiles

  • JAD/Jode – Java decompiler
  • Reflector – .NET decompiler
  • Reflexil – Add-in for Reflector used to modify decompiled .NET code
  • FileDisassembler – Add-in for Reflector to export .NET code to Visual Studio

Miscellaneous

  • fpipe – traffic redirector
  • lynx – text browser
  • curl – web client tool
  • Dave Proxy – proxy tool used for thick client applications
  • Dave – WebDAV tool
  • Cadaver – WebDAV tool
  • SSLDigger – SSL cipher strength checker
  • THCSSLCheck – SSL cipher strength checker
  • Perl, Python – coding tools for custom scripts
  • Twill – scripting language for web browsing

Leave a Reply