- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
- ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
- CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
- Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
- OWASP Pantera Web Assessment Studio Project
- Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
- OWASP Mantra - Security Framework
- Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
- SPIKE - http://www.immunitysec.com/resources-freesoftware.shtml
- SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
- Burp Proxy - http://www.portswigger.net/Burp/
- Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
- Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
- Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
- Webstretch Proxy - http://sourceforge.net/projects/webstretch
- Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
- WATOBO - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
- WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
- Firefox LiveHTTPHeaders - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
- View HTTP headers of a page and while browsing.
- Firefox Tamper Data - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
- Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
- Firefox Web Developer Tools - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
- The Web Developer extension adds various web developer tools to the browser.
- DOM Inspector - https://developer.mozilla.org/en/docs/DOM_Inspector
- DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
- Firefox Firebug - http://getfirebug.com/
- Grendel-Scan - http://securitytube-tools.net/index.php?title=Grendel_Scan
- Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
- OWASP SWFIntruder - http://www.mindedsecurity.com/swfintruder.html
- SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
- SWFScan - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
- Wikto - http://www.sensepost.com/labs/tools/pentest/wikto
- Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
- w3af - http://w3af.org
- w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
- skipfish - http://code.google.com/p/skipfish/
- Skipfish is an active web application security reconnaissance tool.
- Web Developer toolbar - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
- The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
- HTTP Request Maker - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
- Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
- Cookie Editor - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
- Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
- Cookie swap - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
- Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
- Firebug lite for Chrome - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
- Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties
- Session Manager - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
- With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
- Subgraph Vega - http://www.subgraph.com/products.html
- Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Testing for specific vulnerabilities
Testing for DOM XSS
Testing for SQL Injection
Testing for Brute Force Password
Testing Buffer Overflow
Source Code Analyzers
Open Source / Freeware
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
- WATIR - http://wtr.rubyforge.org
- A Ruby based web testing framework that provides an interface into Internet Explorer.
- Windows only.
- HtmlUnit - http://htmlunit.sourceforge.net
- A Java and JUnit based framework that uses the Apache HttpClient as the transport.
- Very robust and configurable and is used as the engine for a number of other testing tools.
- jWebUnit - http://jwebunit.sourceforge.net
- A Java based meta-framework that uses htmlunit or selenium as the testing engine.
- Canoo Webtest - http://webtest.canoo.com
- An XML based testing tool that provides a facade on top of htmlunit.
- No coding is necessary as the tests are completely specified in XML.
- There is the option of scripting some elements in Groovy if XML does not suffice.
- Very actively maintained.
- HttpUnit - http://httpunit.sourceforge.net
- One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
- Watij - http://watij.com
- A Java implementation of WATIR.
- Windows only because it uses IE for its tests (Mozilla integration is in the works).
- Solex - http://solex.sourceforge.net
- An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
- Selenium - http://seleniumhq.org/