- Security Testing - Home
- Security Testing - Overview
- Security Testing - Process
- Security Testing - Malicious Software
- HTTP Protocol Basics
- HTTPS Protocol Basics
- Encoding and Decoding
- Security Testing - Cryptography
- Security Testing - Same Origin Policy
- Security Testing - Cookies
- Hacking Web Applications
- Security Testing - Injection
- Testing Broken Authentication
- Testing Cross Site Scripting
- Insecure Direct Object Reference
- Testing Security Misconfiguration
- Testing Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Components with Vulnerabilities
- Unvalidated Redirects and Forwards
- Security Testing - Ajax Security
- Testing Security - Web Service
- Security Testing - Buffer Overflows
- Security Testing - Denial of Service
- Testing Malicious File Execution
- Security Testing - Automation Tools
Security Testing - Automation Tools
There are various tools that are available to perform security testing of an application. There are few tools that can perform end to end security testing while some are dedicated to spot a particular type of flaw in the system.
Open Source tools
Below are the some of the open source testing tools which can be used for security testing purposes.
| S.No | Tool Name |
|---|---|
| 1 | Zed Attack Proxy Provides Automated Scanners and other tools for spotting security flaws. https://www.zaproxy.org/ |
| 2 | OWASP WebScarab Developed in Java for Analysing Http and Https requests. https://www.owasp.org/index.php/OWASP_WebScarab_Project |
| 3 | OWASP Mantra Supports multi-lingual security testing framework https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework |
| 4 | Burp Proxy Tool for Intercepting & Modyfying traffic and works with work with custom SSL certificates. http://www.portswigger.net/Burp/ |
| 5 | Firefox Tamper Data Use tamperdata to view and modify HTTP/HTTPS headers and post parameters https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ |
| 6 | Firefox Web Developer Tools The Web Developer extension adds various web developer tools to the browser. https://addons.mozilla.org/en-US/firefox/addon/web-developer/ |
| 7 | Cookie Editor Lets user to add, delete, edit, search, protect and block cookies https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US |
Specific Tool sets
Following are the tools that can help us to spot a particular type of vulnerabilities in the system.
| S.No | Link |
|---|---|
| 1 | DOMinator Pro - Testing for DOM XSS https://portswigger.net/web-security/cross-site-scripting/dom-based |
| 2 | OWASP SQLiX - SQL Injection https://www.owasp.org/index.php/Category:OWASP_SQLiX_Project |
| 3 | Sqlninja - SQL Injection http://sqlninja.sourceforge.net/ |
| 4 | SQLInjector - SQL Injection http://sourceforge.net/projects/safe3si/ |
| 5 | sqlpowerinjector - SQL Injection http://www.sqlpowerinjector.com/ |
| 6 | SSL Digger - Testing SSL http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx |
| 7 | THC-Hydra - Brute Force Password https://www.imperva.com/learn/application-security/brute-force-attack/ |
| 8 | Brutus - Brute Force Password https://www.kaspersky.com/resource-center/definitions/brute-force-attack |
| 9 | Ncat - Brute Force Password http://nmap.org/ncat/ |
| 10 | OllyDbg - Testing Buffer Overflow http://www.ollydbg.de/ |
| 11 | Spike - Testing Buffer Overflow http://www.immunitysec.com/downloads/SPIKE2.9.tgz |
| 12 | Metasploit - Testing Buffer Overflow http://www.metasploit.com/ |
Commercial Black Box Testing tools
Below are some of the commercial Black box testing tools which helps us to spot security issues in the application that we develop.
| S.No | Tool |
|---|---|
| 1 | NGSSQuirreL - https://www.sqlservercentral.com/articles/review-ngssquirrel-1 |
| 2 | IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/ |
| 3 | Acunetix Web Vulnerability Scanner - http://www.acunetix.com/ |
| 4 | NTOSpider - https://github.com/dradis/dradis-ntospider |
| 5 | SOAP UI - http://www.soapui.org/Security/getting-started.html |
| 6 | Netsparker - http://www.mavitunasecurity.com/netsparker/ |
| 7 | HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect |
Free Source Code Analyzers
| S.No | Tool |
|---|---|
| 1 | OWASP Orizon - https://www.owasp.org/index.php/Category:OWASP_Orizon_Project |
| 2 | OWASP O2 - https://openhub.net/p/o2platform |
| 3 | SearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ |
| 4 | FXCOP - https://www.owasp.org/index.php/FxCop |
| 5 | Splint - http://splint.org/ |
| 6 | Boon - http://www.cs.berkeley.edu/~daw/boon/ |
| 7 | W3af - https://github.com/andresriancho/w3af |
| 8 | FlawFinder - http://www.dwheeler.com/flawfinder/ |
| 9 | FindBugs - http://findbugs.sourceforge.net/ |
Commercial Source Code Analyzers
| S.No | Tool |
|---|---|
| 1 | Parasoft C/C++ test - http://www.parasoft.com/cpptest/security_testing_malacious_file_execution.htm |
| 2 | HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer |
| 3 | Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/ |
| 4 | Veracode - http://www.veracode.com |
| 5 | Armorize CodeSecure - https://www.armorizetech.com/secure-code-review/ |
| 6 | GrammaTech - http://www.grammatech.com/ |
Advertisements