Web App Testing Tools

Web App Testing Tools
As security testers we tend to always be on the lookout for new or updated tools to test the security of web based applications. Some of these are of course commercial, but most of us also make extensive use of the free and/or open source offerings. In no particular order here are the ones I am currently making use of: Burp Suite - http://portswigger.net/suite/ Fiddler2 - http://www.fiddler2.com/fiddler2/ Watcher - http://websecuritytool.codeplex.com/ Ratproxy - http://code.google.com/p/ratproxy/ Grendel Scan - http://grendel-scan.com/ W3AF - http://w3af.sourceforge.net/ Skipfish - http://code.google.com/p/skipfish/ Exploit-me - http://labs.securitycompass.com/index.php/exploit-me/ Wikto - http://www.sensepost.com/research/wikto/ Tamper data - http://tamperdata.mozdev.org/ Wmap - http://www.metasploit.com/redmine/projects/framework/wiki/WMAP Nikto - http://cirt.net/nikto2 Special mention to Samurai WTF - http://samurai.inguardians.com/ Please let us know if there are any I haven't mentioned that you find useful, and why! I'll add them to an update of the list after wards. firebug - http://getfirebug.com/ webscarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project curl and wget Various versions of different web browsers Various scripts in different scripting languages I've deliberately decided to exclude commercial scanners, either web application specific or network scanners that can also do some web application tests. Cheers, Adrien de Beaupré Intru-shun.ca Inc.	Adrien de Beaupre 353 Posts ISC Handler
Subscribe	Apr 13th 2010 9 years ago
How about some more browser plugins to assist with the testing. E.g. MultiProxy to quickly switch between local proxies, and developer toolbar to inspect and modify pages. Also SSLScan or something similar to rate certificate strength. I would be interested to know how people go about documenting their testing. Something like the Leo Editor, or do you just use Open Office with templates and macros?	Anonymous
Quote	Apr 13th 2010 9 years ago
Netsparker + Watcher Netsparker + Ratproxy Skipfish Burp Suite Pro + Buby + Gotham Digital Science tools fuzzdb.googlecode.com I do not like Grendel-Scan. I do not like W3AF. Wikto and Nikto are old, perhaps replaced by Skipfish or Burp Intruder with the fuzzdb list. Firefox add-ons are unstable and annoying -- Burp Suite Pro is better. My current favorite distro is the Web Security Dojo (much better than Samurai-WTF). SSLScan.sf.net is pretty neat, but so is ssllabs.com	Anonymous
Quote	Apr 14th 2010 9 years ago
The Codeburner plugin for Firebug is handy as a side-reference.	AndrewB 24 Posts
Quote	Apr 14th 2010 9 years ago

As security testers we tend to always be on the lookout for new or updated tools to test the security of web based applications. Some of these are of course commercial, but most of us also make extensive use of the free and/or open source offerings. In no particular order here are the ones I am currently making use of:

Burp Suite - http://portswigger.net/suite/
Fiddler2 - http://www.fiddler2.com/fiddler2/
Watcher - http://websecuritytool.codeplex.com/
Ratproxy - http://code.google.com/p/ratproxy/
Grendel Scan - http://grendel-scan.com/
W3AF - http://w3af.sourceforge.net/
Skipfish - http://code.google.com/p/skipfish/
Exploit-me - http://labs.securitycompass.com/index.php/exploit-me/
Wikto - http://www.sensepost.com/research/wikto/
Tamper data - http://tamperdata.mozdev.org/
Wmap - http://www.metasploit.com/redmine/projects/framework/wiki/WMAP
Nikto - http://cirt.net/nikto2

Special mention to Samurai WTF - http://samurai.inguardians.com/

Please let us know if there are any I haven't mentioned that you find useful, and why! I'll add them to an update of the list after wards.

firebug - http://getfirebug.com/
webscarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
curl and wget
Various versions of different web browsers
Various scripts in different scripting languages

I've deliberately decided to exclude commercial scanners, either web application specific or network scanners that can also do some web application tests.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler

How about some more browser plugins to assist with the testing. E.g. MultiProxy to quickly switch between local proxies, and developer toolbar to inspect and modify pages. Also SSLScan or something similar to rate certificate strength.

I would be interested to know how people go about documenting their testing. Something like the Leo Editor, or do you just use Open Office with templates and macros?

Anonymous

Netsparker + Watcher
Netsparker + Ratproxy
Skipfish
Burp Suite Pro + Buby + Gotham Digital Science tools
fuzzdb.googlecode.com

I do not like Grendel-Scan. I do not like W3AF. Wikto and Nikto are old, perhaps replaced by Skipfish or Burp Intruder with the fuzzdb list. Firefox add-ons are unstable and annoying -- Burp Suite Pro is better. My current favorite distro is the Web Security Dojo (much better than Samurai-WTF). SSLScan.sf.net is pretty neat, but so is ssllabs.com

Anonymous

The Codeburner plugin for Firebug is handy as a side-reference.

AndrewB

24 Posts