- Security Testing - Home
- Security Testing - Overview
- Security Testing - Process
- Security Testing - Malicious Software
- HTTP Protocol Basics
- HTTPS Protocol Basics
- Encoding and Decoding
- Security Testing - Cryptography
- Security Testing - Same Origin Policy
- Security Testing - Cookies
- Hacking Web Applications
- Security Testing - Injection
- Testing Broken Authentication
- Testing Cross Site Scripting
- Insecure Direct Object Reference
- Testing Security Misconfiguration
- Testing Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Components with Vulnerabilities
- Unvalidated Redirects and Forwards
- Security Testing - Ajax Security
- Testing Security - Web Service
- Security Testing - Buffer Overflows
- Security Testing - Denial of Service
- Testing Malicious File Execution
- Security Testing - Automation Tools
Security Testing - Automation Tools
There are various tools available to perform security testing of an application. There are few tools that can perform end-to-end security testing while some are dedicated to spot a particular type of flaw in the system.
Open Source Tools
Some open source security testing tools are as given −
| S.No. | Tool Name |
|---|---|
| 1 |
Zed Attack Proxy Provides Automated Scanners and other tools for spotting security flaws. |
| 2 |
OWASP WebScarab Developed in Java for Analysing Http and Https requests. |
| 3 |
OWASP Mantra Supports multi-lingual security testing framework https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework |
| 4 |
Burp Proxy Tool for Intercepting & Modyfying traffic and works with work with custom SSL certificates. |
| 5 |
Firefox Tamper Data Use tamperdata to view and modify HTTP/HTTPS headers and post parameters |
| 6 |
Firefox Web Developer Tools The Web Developer extension adds various web developer tools to the browser. |
| 7 |
Cookie Editor Lets user to add, delete, edit, search, protect and block cookies |
Specific Tool Sets
The following tools can help us spot a particular type of vulnerability in the system −
| S.No. | Link |
|---|---|
| 1 |
OWASP SQLiX − SQL Injection |
| 2 |
Sqlninja − SQL Injection |
| 3 |
SQLInjector − SQL Injection |
| 4 |
sqlpowerinjector − SQL Injection |
| 5 |
SSL Digger − Testing SSL |
| 6 |
THC-Hydra − Brute Force Password |
| 7 |
Brutus − Brute Force Password https://www.hackercoolmagazine.com/brutus-password-cracker-complete-guide/ |
| 8 |
Ncat − Brute Force Password |
| 9 |
OllyDbg − Testing Buffer Overflow |
| 10 |
Metasploit − Testing Buffer Overflow |
Commercial Black Box Testing tools
Here are some of the commercial black box testing tools that help us spot security issues in the applications that we develop.
| S.No | Tool |
|---|---|
| 1 |
NGSSQuirreL |
| 2 |
IBM AppScan |
| 3 |
Acunetix Web Vulnerability Scanner |
| 4 |
NTOSpider |
| 5 |
SOAP UI |
| 6 |
Netsparker |
| 7 |
HP WebInspect |
Free Source Code Analyzers
| S.No | Tool |
|---|---|
| 1 |
OWASP Orizon |
| 2 |
SearchDiggity |
| 3 |
FXCOP |
| 4 |
Splint |
| 5 |
Boon |
| 6 |
W3af |
| 7 |
FlawFinder |
| 8 |
FindBugs |
Commercial Source Code Analyzers
These analyzers examine, detect, and report the weaknesses in the source code, which are prone to vulnerabilities −
| S.No | Tool |
|---|---|
| 1 |
Parasoft C/C++ test |
| 2 |
HP Fortify |
| 3 |
Appscan |
| 4 |
Veracode |
| 5 |
Armorize CodeSecure |
| 6 |
GrammaTech |