web安全工具大汇总.doc

Test sites / testing groundsSPI Dynamics (live) /Cenzic (live) /Watchfire (live) /Acunetix (live) / WebMaven / Buggy Bank /webmavenFoundstone SASS tools /us/resources-free-tools.aspUpdated HackmeBank /technical-info/2008/12/8/updated-version-of-hacmebank.htmlOWASP WebGoat /index.php/OWASP_WebGoat_ProjectOWASP SiteGenerator /index.php/Owasp_SiteGeneratorStanford SecuriBench /livshits/securibench/SecuriBench Micro /livshits/work/securibench-micro/HTTP proxying / editingWebScarab /index.php/Category:OWASP_WebScarab_ProjectBurp /Paros /Fiddler /Web Proxy Editor /mspress/companion/0-7356-2187-X/Pantera /index.php/Category:OWASP_Pantera_Web_Assessment_Studio_ProjectSuru /research/suru/httpedit (curses-based) /en/rd/httpedit/Charles /charles/Odysseus /tools/odysseusBurp, Paros, and WebScarab for Mac OS X /downloads/Web-application scanning tool from Network Security Tools/OReilly /networkst/JS Commander /Ratproxy /p/ratproxy/RSnakes XSS cheat sheet based-tools, webapp fuzzing, and encoding toolsWfuzz /wfuzz.phpProxMon /proxmon.htmlWapiti /Grabber /beta/grabber/XSSScan http:/darkcode.ath.cx/scanners/XSSscan.pyCAL9000 /index.php/Category:OWASP_CAL9000_ProjectHTMangLe /Tools/HTMangLe/publish.htmJBroFuzz /projects/jbrofuzzXSSFuzz /blog/20060921/xssfuzz-released/WhiteAcids XSS Assistant /greasemonkey/Overlong UTF /mspress/companion/0-7356-2187-X/TGZ MielieTool (SensePost Research) /UNIX/utilities/mielietools-v1.0.tgzRegFuzzer: test your regular expression filter /b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filterscreamingCobra /projects/screamingcobra.htmlSPIKE and SPIKE Proxy /resources-freesoftware.shtmlRFuzz /WebFuzz /index.php?option=com_content&task=view&id=112&Itemid=99999999TestMaker /Docs/downloads/features.htmlASP Auditor /projects/asp-auditor-v2/WSTool /Web Hack Control Center (WHCC) /whcc/Web Text Converter /mspress/companion/0-7356-2187-X/HackBar (Firefox Add-on) /firefox/3899/Net-Force Tools (NF-Tools, Firefox Add-on) -force.nl/library/downloads/PostIntercepter (Greasemonkey script) /scripts/show/743HTTP general testing / fingerprintingWbox: HTTP testing tool /wbox/ht:/Check /Mumsie /tools/mumsie.htmlWebInject /Torture.pl Home Page /lstein/torture/JoeDogs Seige /JoeDog/Siege/OPEN-LABS: metoscan (http method testing) /Load-balancing detector http:/ge.mine.nu/lbd.htmlHMAP /hmap/Net-Square: httprint /httprint/Wpoison: http stress testing /Net-square: MSNPawn /msnpawn/index.shtmlhcraft: HTTP Vuln Request Crafter /projects/hcraft/rfp.labs: LibWhisker /rfp/lw.aspNikto /code/nikto.shtmltwill /DirBuster /index.php/Category:OWASP_DirBuster_ProjectZIP DFF Scanner /files/dff/DFF.zipZIP The Elza project /web/elza-1.4.7-beta.zip /elza.htmlHackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled /projects/hackfoxBrowser-based HTTP tampering / editing / replayingTamperIE /Other/isr-form .ar/developments.htmlModify Headers (Firefox Add-on) /Tamper Data (Firefox Add-on) /UrlParams (Firefox Add-on) /en-US/firefox/addon/1290/TestGen4Web (Firefox Add-on) /en-US/firefox/addon/1385/DOM Inspector / Inspect This (Firefox Add-on) /en-US/firefox/addon/1806/ /en-US/firefox/addon/1913/LiveHTTPHeaders / Header Monitor (Firefox Add-on) / /en-US/firefox/addon/575/Cookie editing / poisoningTGZ stompy: session id tool http:/lcamtuf.coredump.cx/stompy.tgzAddN Edit Cookies (AnEC, Firefox Add-on) /CookieCuller (Firefox Add-on) /CookiePie (Firefox Add-on) /oss/firefox/extensions/cookiepie/CookieSpy /shell/cookiespy.aspCookies Explorer /Features/Cookies.aspxAjax and XHR scanningSahi http:/sahi.co.in/scRUBYt /jQuery /jquery-include /projects/jquery-includeSprajax /sprajax.htmlWatir /Watij /Watin /RBNarcissus http:/idontsmoke.co.uk/2005/rbnarcissus/SpiderTest (Spider Fuzz plugin) http:/blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-pluginJavascript Inline Debugger (jasildbg) /Firebug Lite /lite.htmlfirewaitr /p/firewatir/RSS extensions and cachingLiveLines (Firefox Add-on) /en-US/firefox/addon/324/rss-cache /chris/projects/rss-cache/SQL injection : home of Absinthe, Mezcal, etc http:/090.org/releases.phpSQLiX /index.php/Category:OWASP_SQLiX_Projectsqlninja: a SQL Server injection and takover tool /JustinClarkes SQL Brute /archives/2006/03/sqlbrute.htmlBobCat http:/www.northern-monkee.co.uk/projects/bobcat/bobcat.htmlsqlmap /Scully: SQL Server DB Front-End and Brute-Forcer /research/scully/FG-Injector /?lang=en&seccion=herramientasPRIAMOS /Web application security malware, backdoors, and evil codeW3AF: Web Application Attack and Audit Framework /Jikto /jikto-in-the-wild/XSS Shell /article/?1338XSS-Proxy AttackAPI /projects/attackapi/FFsniFF http:/azurit.elbiahosting.sk/ffsniff/HoneyBlogs web-based junkyard /junkyard/web-based/BeEF /tools/beef/Firefox Extension Scanner (FEX) /projects/fex/What is my IP address? http:/reglos.de/myaddress/xRumer: blogspam automation tool /movies/XFull.htmSpyJax /makebeta/tools/spyjax/Greasecarnaval /projects/greasecarnavalTechnika /projects/technika/Load-AttackAPI bookmarklet /projects/load-attackapi-bookmarkletMDs Projects: JS port scanner, pinger, backdoors, etc /my-projects/Web application services that aid in web application security assessmentNetcraft AboutURL /The Scrutinizer /net.toolkit /ServerSniff /Online Microsoft script decoder /security/tools/decoder/Webmaster-Toolkit /myIPNeighbbors, et al /security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_AddressPHP charset encoding http:/h4k.in/encodingdata: URL testcases http:/h4k.in/dataurlBrowser-based security fuzzing / checkingZalewskis MangleMe http:/lcamtuf.coredump.cx/mangleme/mangle.cgihdms tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan /users/hdm/tools/Peach Fuzzer Framework /TagBruteForcer /html/tools/RT20060801-3.htmlPROTOS Test-Suite: c05-http-reply http:/www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.htmlCOMRaider bcheck http:/bcheck.scanit.be/bcheck/Stop-Phishing: Projects page /phishing/?projectsLinkScanner /linkscanner/default.aspBrowserCheck http:/www.heise-security.co.uk/services/browsercheck/Cross-browser Exploit Tests /cool.phpStealing information using DNS pinning demo /index.php?i=2&a=1&b=7Javascript Website Login Checker /weird/javascript-website-login-checker.htmlMozilla Activex http:/www.iol.ie/locka/mozilla/mozilla.htmJungsonns Black Dragon Project /Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) /mr-t/Vulnerable Adobe Plugin Detection For UXSS PoC /?i=324About Flash: is your flash up-to-date? /software/flash/about/Test your installation of Java software /en/download/installed.jsp?detect=jre&try=1WebPageFingerprint Light-weight Greasemonkey Fuzzer /scripts/show/30285PHP static analysis and file inclusion scanningPHP-SAT.org: Static analysis for PHP /PHP/Unl0ck Research Team: tool for searching in google for include bugs /tools.phpFIS: File Inclusion Scanner http:/www.segfault.gr/index.php?cat_id=3&cont_id=25PHPSecAudit /projects/phpsecauditPHP Defensive ToolsPHPInfoSec Check phpinfo configuration for security /projects/phpsecinfo/A Greasemonkey Replacement can be found at /lab/#tools.greasemonkeyPhp-Brute-Force-Attack Detector Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix .etc. /lab/pr0js/files.php/php_brute_force_detect.zipPHP-Login-Info-Checker Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic/lab/pr0js/files.php/loginfo_checkerv0.1.zip/lab/pr0js/files.php/phploginfo_checker_demo.zipphp-DDOS-Shield A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. /p/ddos-shield/PHPMySpamFIGHTER /lab/pr0js/files.php/phpmyspamfighter.zip /lab/pr0js/files.php/phpMySpamFighter_demo.rarWeb Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resourcesAPIDS on Wikipedia /wiki/APIDSPHP Intrusion Detection System (PHP-IDS) / /p/phpids/dotnetids /p/dotnetids/Secure Science InterScout /home/newsandevents/news/interscout1.0.htmlRemo: whitelist rule editor for mod_security /GotRoot: ModSecuirty rules /tiki-index.php?page=mod_security+rulesThe Web Security Gateway (WSGW) /mod_security rules generator /tools/modsecurity/Mod_Anti_Tamper http:/www.wisec.it/projects.php?id=3TGZ Automatic Rules Generation for Mod_Security http:/www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgzAQTRONIX WebKnight /?PageID=99Akismet: blog spam defense /Samoa: Formal tools for securing web services /projects/samoa/Web services enumeration / scanning / fuzzingWebServiceStudio2.0 /WebserviceStudioNet-square: wsChess /wschess/index.shtmlWSFuzzer /index.php/Category:OWASP_WSFuzzer_ProjectSIFT: web method search tool .au/73/171/sift-web-method-search-tool.htmiSecPartners: WSMap, WSBang, etc /tools.htmlWeb application non-specific static source-code analysisPixy: a static analysis tool for detecting XSS vulnerabilities http:/www.seclab.tuwien.ac.at/projects/pixy/Brixoft.Net: Source Edit /prodinfo.asp?id=1Security compass web application auditing tools (SWAAT) /index.php/Category:OWASP_SWAAT_ProjectAn even more complete list here /aldrich/courses/654/tools/A nice list that claims some demos available /aldrich/courses/413/tools.htmlA smaller, but also good list /static/Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. /Static analysis for C/C+ (CGI, ISAPI, etc) in web applicationsRATS /resources/download_rats.htmlITS4 /its4/FlawFinder /flawfinder/Splint /Uno /uno/BOON (Buffer Overrun detectiON) /daw/boon/ Valgrind /Java static analysis, security frameworks, and web application security toolsLAPSE /livshits/work/lapse/HDIV Struts /Orizon /projects/orizon/FindBugs: Find bugs in Java programs /PMD /CUTE: A Concolic Unit Testing Engine for C and Java /ksen/cute/EMMA /JLint /Java PathFinder /Fujaba: Move between UML and Java source code http:/wwwcs.uni-paderborn.de/cs/fujaba/Checkstyle /Cookie Revolver Security Framework /projects/cookie-revolvertinapoc /projects/tinapocjarsigner /j2se/1.5.0/docs/tooldocs/solaris/jarsigner.htmlSolex /Java Explorer /jexplore/HTTPClient http:/www.innovation.ch/java/HTTPClient/another HttpClient /commons/httpclient/a list of code coverage and analysis tools for Java /2007/06/java-foss-freeopen-source-software.htmlMicrosoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET Visual Studio 2008 Code Analysis, available in: o VSTS 2008 Development Edition (/vsts2008/products/bb933752.aspx) and o VSTS 2008 Team Suite (/vsts2008/products/bb933735.aspx) Visual Studio 2005 Code Analyzer, available in: o Visual Studio 2005 Team Edition for Software Developers (/en-us/vstudio/aa718806.aspx) o Visual Studio 2005 Team Suite (/en-us/vstudio/aa718806.aspx) Web Development Helper /Project.WebDevHelper.aspx FxCop: o (blog) /fxcop/ o (download) /codeanalysis Microsoft internal tools you cant have yet: o /windows/cse/pa_projects.mspx o /Pex/ o /images/5/5b/OWASP_IL_7_FuzzGuru.pdf Threat modelingMicrosoft Threat Analysis and Modeling Tool v2.1 (TAM) /downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=enAmenaza: Attack Tree Modeling (SecurITree) /software.phpOctotrike /Add-ons for Firefox that help with general web application securityWeb Developer Toolbar /firefox/60/Plain Old Webserver (POW) /firefox/3002/XML Developer Toolbar /firefox/2897/Public Fox /firefox/3911/XForms Buddy http:/beaufour.dk/index.php?sec=misc&pagename=xformsMR Tech Local Install /extensions/local_install