最全的Web安全工具大搜集!绝对惊喜!!!
HackerFox and Hacking Addons Bundled: Portable Firefox with web
hacking addons bundled –
Browser-based HTTP tampering / editing / replaying
TamperIE –
isr-form –
Modify Headers (Firefox Add-on) –
Tamper Data (Firefox Add-on) –
UrlParams (Firefox Add-on) –
TestGen4Web (Firefox Add-on) –
DOM Inspector / Inspect This (Firefox Add-on)
–
LiveHTTPHeaders / Header Monitor (Firefox Add-on)
–
Cookie editing / poisoning
[TGZ] stompy: session id tool –
Add’N Edit Cookies (AnEC, Firefox Add-on)
–
CookieCuller (Firefox Add-on) –
CookiePie (Firefox Add-on) –
CookieSpy –
Cookies Explorer –
Ajax and XHR scanning
Sahi –
scRUBYt –
jQuery –
jquery-include –
Sprajax –
Watir –
Watij –
Watin –
RBNarcissus –
SpiderTest (Spider Fuzz plugin) –
Javascript Inline Debugger (jasildbg) –
Firebug Lite –
firewaitr –
RSS extensions and caching
LiveLines (Firefox Add-on) –
rss-cache –
SQL injection scanning
0×90.org: home of Absinthe, Mezcal, etc
–
SQLiX –
sqlninja: a SQL Server injection and takover tool
–
JustinClarke’s SQL Brute –
BobCat –
sqlmap –
Scully: SQL Server DB Front-End and Brute-Forcer
–
FG-Injector –
PRIAMOS –
Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework
–
Jikto –
XSS Shell –
XSS-Proxy –
AttackAPI –
FFsniFF –
HoneyBlog’s web-based junkyard –
BeEF –
Firefox Extension Scanner (FEX) –
What is my IP address? –
xRumer: blogspam automation tool –
SpyJax –
Greasecarnaval –
Technika –
Load-AttackAPI bookmarklet –
MD’s Projects: JS port scanner, pinger, backdoors, etc
–
Web application services that aid in web application security
assessment
Netcraft –
AboutURL –
The Scrutinizer –
net.toolkit –
ServerSniff –
Online Microsoft script decoder –
Webmaster-Toolkit –
myIPNeighbbors, et al –http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding –
data: URL testcases –
Browser-based security fuzzing / checking
Zalewski’s MangleMe –
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan
–
Peach Fuzzer Framework –
TagBruteForcer –
PROTOS Test-Suite: c05-http-reply –http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider –
bcheck –
Stop-Phishing: Projects page –
LinkScanner –
BrowserCheck –
Cross-browser Exploit Tests –
Stealing information using DNS pinning demo
–
Javascript Website Login Checker –
Mozilla Activex –
Jungsonn’s Black Dragon Project –
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC)
–
Vulnerable Adobe Plugin Detection For UXSS PoC
–
About Flash: is your flash up-to-date? –
Test your installation of Java software –
WebPageFingerprint – Light-weight Greasemonkey Fuzzer –http://userscripts.org/scripts/show/30285
PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP –
Unl0ck Research Team: tool for searching in google for include bugs
–http://unl0ck.net/tools.php
FIS: File Inclusion Scanner –
PHPSecAudit –
PHP Defensive Tools
PHPInfoSec – Check phpinfo configuration for security –http://phpsec.org/projects/phpsecinfo/
A Greasemonkey Replacement can be found
at
Php-Brute-Force-Attack Detector – Detect your web servers being
scanned by brute force tools such as WFuzz, OWASP DirBuster and
vulnerability scanners such as Nessus, Nikto, Acunetix
..etc.
PHP-Login-Info-Checker – Strictly enforce admins/users to select
stronger passwords. It tests cracking passwords against 4 rules. It
has also built-in smoke test page via url
loginfo_checker.php?testlic
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip
php-DDOS-Shield – A tricky script to prevent idiot distributed bots
which discontinue their flooding attacks by identifying HTTP 503
header code.
PHPMySpamFIGHTER –
Web Application Firewall (WAF) and Intrusion Detection (APIDS)
rules and resources
APIDS on Wikipedia –
PHP Intrusion Detection System (PHP-IDS)
–
dotnetids –
Secure Science InterScout –http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security
–
GotRoot: ModSecuirty rules –
The Web Security Gateway (WSGW) –
mod_security rules generator –
Mod_Anti_Tamper –
[TGZ] Automatic Rules Generation for Mod_Security
–
AQTRONIX WebKnight –
Akismet: blog spam defense –
Samoa: Formal tools for securing web services –http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 –
Net-square: wsChess –
WSFuzzer –
SIFT: web method search tool –
iSecPartners: WSMap, WSBang, etc –
Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities
–http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit –
Security compass web application auditing tools (SWAAT) –http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here –
A nice list that claims some demos available –http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list –
Yasca: A highly extensible source code analysis framework;
incorporates several analysis tools into one
package.
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS –
ITS4 –
FlawFinder –
Splint –
Uno –
BOON (Buffer Overrun detectiON) –
Valgrind –
Java static analysis, security frameworks, and web application
security tools
LAPSE –
HDIV Struts –
Orizon –
FindBugs: Find bugs in Java programs –
PMD –
CUTE: A Concolic Unit Testing Engine for C and Java
–
EMMA –
JLint –
Java PathFinder –
Fujaba: Move between UML and Java source code
–
Checkstyle –
Cookie Revolver Security Framework –
tinapoc –
jarsigner –
Solex –
Java Explorer –
HTTPClient –
another HttpClient –
a list of code coverage and analysis tools for Java –http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
Microsoft .NET static analysis and security framework tools, mostly
for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Visual Studio 2008 Code Analysis, available in:
VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx)
and
VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
Visual Studio 2005 Code Analyzer, available in:
Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Web Development Helper –
FxCop:
(blog)
(download)
Microsoft internal tools you can’t have yet:
http://www.microsoft.com/windows/cse/pa_projects.mspx
http://research.microsoft.com/Pex/
http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf
Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) –http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree)
–
Octotrike –
Add-ons for Firefox that help with general web application
security
Web Developer Toolbar –
Plain Old Webserver (POW) –
XML Developer Toolbar –
Public Fox –
XForms Buddy –
MR Tech Local Install –
Nightly Tester Tools –
IE Tab –
User-Agent Switcher –
ServerSwitcher –
HeaderMonitor –
RefControl –
refspoof –
No-Referrer –
LocationBar^2 –
SpiderZilla –
Slogger –
Fire Encrypter –
Add-ons for Firefox that help with Javascript and Ajax web
application security
Selenium IDE –
Firebug –
Venkman –
Chickenfoot –
Greasemonkey –
Greasemonkey compiler –
User script compiler –
Extension Developer’s Extension (Firefox Add-on) –http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) –
Bookmarklets that aid in web application security
RSnake’s security bookmarklets –
BMlets –
Huge list of bookmarklets –
Blummy: consists of small widgets, called blummlets, which make use
of Javascript to provide rich functionality
–
Bookmarklets every blogger should have –http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) –
OpenBook and Update Bookmark (Firefox Add-ons)
–
SSL certificate checking / scanning
[ZIP] THCSSLCheck –
[ZIP] Foundstone SSLDigger –
Cert Viewer Plus (Firefox Add-on) –
Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient
–
HoneyC: the low-interaction honeyclient –
Capture: a high-interaction honeyclient –
Google Hack Honeypot –
PHP.Hop – PHP Honeynet Project –
SpyBye –
Honeytokens –
Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) –
SEO for Firefox (Firefox Add-on) –
SEOQuake (Firefox Add-on) –
Footprinting for web application security
Evolution –
GooSweep –
Aura: Google API Utility Tools –
Edge-Security tools –
Fierce Domain Scanner –
Googlegath –
Advanced Dork (Firefox Add-on) –
Passive Cache (Firefox Add-on) –
CacheOut! (Firefox Add-on) –
BugMeNot Extension (Firefox Add-on) –
TrashMail.net Extension (Firefox Add-on)
–
DiggiDig (Firefox Add-on) –
Digger (Firefox Add-on) –
Database security assessment
Scuba by Imperva Database Vulnerability Scanner
–
Browser Defenses
DieHard –
LocalRodeo (Firefox Add-on) –
NoMoXSS –
Request Rodeo –
FlashBlock (Firefox Add-on) –
CookieSafe (Firefox Add-on) –
NoScript (Firefox Add-on) –
FormFox (Firefox Add-on) –
Adblock (Firefox Add-on) –
httpOnly in Firefox (Firefox Add-on) –
SafeCache (Firefox Add-on) –
SafeHistory (Firefox Add-on) –
PrefBar (Firefox Add-on) –
All-in-One Sidebar (Firefox Add-on) –
QArchive.org web file checker (Firefox Add-on)
–
Update Notified (Firefox Add-on) –
FireKeeper –
Greasemonkey: XSS Malware Script Detector
–
Browser Privacy
TrackMeNot (Firefox Add-on) –
Privacy Bird –
Application and protocol fuzzing (random instead of targeted)
Sulley –
taof: The Art of Fuzzing –
zzuf: multipurpose fuzzer –
autodafé: an act of software torture –
EFS and GPF: Evolutionary Fuzzing System
–
文章如转载,请注明转载自:http://www.5iadmin.com/post/990.html
