книга >>>>>> новичкам обязательно к прочтению
Test sites
SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) – http://crackme.cenzic.com/
Watchfire (live) – http://demo.testfire.net/
Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.comhttp://testaspnet.acunetix.com
WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
Foundstone SASS tools –
Updated HackmeBank –
OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
HTTP proxying
WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp – http://www.portswigger.net/
Paros – http://www.parosproxy.org/
Fiddler – http://www.fiddlertool.com/
Web Proxy Editor –
Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru –
httpedit (curses-based) – http://www.neutralbit.com/en/rd/httpedit/
Charles – http://www.xk72.com/charles/
Odysseus –
Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools’/O’Reilly – http://examples.oreilly.com/networkst/
JS Commander – http://jscmd.rubyforge.org/
Ratproxy – http://code.google.com/p/ratproxy/
RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz – http://www.edge-security.com/wfuzz.php
ProxMon –
Wapiti – http://wapiti.sourceforge.net/
Grabber – http://rgaucher.info/beta/grabber/
XSSScan – http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe – http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz – https://sourceforge.net/projects/jbrofuzz/
XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid’s XSS Assistant – http://www.whiteacid.org/greasemonkey/
Overlong UTF –
[TGZ] MielieTool (SensePost Research) – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer:-Test-your-regular-expression-filter
screamingCobra –
SPIKE and SPIKE Proxy –
RFuzz – http://rfuzz.rubyforge.org/
WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker –
ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
WSTool – http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) –
Web Text Converter –
HackBar (Firefox Add-on) –
Net-Force Tools (NF-Tools, Firefox Add-on) – https://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743
HTTP general testing
Wbox: HTTP testing tool – http://hping.org/wbox/
ht://Check – http://htcheck.sourceforge.net/
Mumsie – http://www.lurhq.com/tools/mumsie.html
WebInject – http://www.webinject.org/
Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
Load-balancing detector – http://ge.mine.nu/lbd.html
HMAP –
Net-Square: httprint –
Wpoison: http stress testing – http://wpoison.sourceforge.net/
Net-square: MSNPawn –
hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker –
Nikto –
twill – http://twill.idyll.org/
DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project – http://packetstormsecurity.org/web/elza-1.4.7-beta.ziphttp://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled –https://sourceforge.net/projects/hackfox/
Browser-based HTTP tampering / editing / replaying
TamperIE – http://www.bayden.com/Other/
isr-form –
Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) –
TestGen4Web (Firefox Add-on) –
DOM Inspector / Inspect This (Firefox Add-on) –
LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/
Cookie editing / poisoning
[TGZ] stompy: session id tool –
Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy –
Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning
Sahi – http://sahi.co.in/
scRUBYt – http://scrubyt.org/
jQuery – http://jquery.com/
jquery-include –
Sprajax –
Watir – http://wtr.rubyforge.org/
Watij – http://watij.com/
Watin – http://watin.sourceforge.net/
RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) – http://jasildbg.googlepages.com/
Firebug Lite – http://www.getfirebug.com/lite.html
firewaitr – http://code.google.com/p/firewatir/
RSS extensions and caching
LiveLines (Firefox Add-on) –
rss-cache –
SQL injection scanning
0×90.org: home of Absinthe, Mezcal, etc –
SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat – http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap – http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer –
FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS – http://www.priamos-project.com/
Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
Jikto – http://busin3ss.name/jikto-in-the-wild/
XSS Shell –
XSS-Proxy – http://xss-proxy.sourceforge.net
AttackAPI –
FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog’s web-based junkyard – http://honeyblog.org/junkyard/web-based/
BeEF –
Firefox Extension Scanner (FEX) –
What is my IP address? – http://reglos.de/myaddress/
xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval –
Technika –
Load-AttackAPI bookmarklet –
MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment
Netcraft – http://www.netcraft.net
AboutURL – http://www.abouturl.com/
The Scrutinizer – http://www.scrutinizethis.com/
net.toolkit – http://clez.net/
ServerSniff – http://www.serversniff.net/
Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit – http://www.webmaster-toolkit.com/
myIPNeighbbors, et al –
PHP charset encoding –
data: URL testcases –
Browser-based security fuzzing / checking
Zalewski’s MangleMe –
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan –
Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider – http://labs.idefense.com
bcheck – http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo –
Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn’s Black Dragon Project – http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0×000000.com/?i=324
About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/http://code.google.com/p/phpids/
dotnetids – http://code.google.com/p/dotnetids/
Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
GotRoot: ModSecuirty rules – http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) – http://wsgw.sourceforge.net/
mod_security rules generator –
Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight –
Akismet: blog spam defense – http://akismet.com/
Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
Net-square: wsChess –
WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool –
iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html
Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/...78-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) –
Octotrike – http://www.octotrike.org/
Add-ons for Firefox that help with general web application security
Web Developer Toolbar –
Plain Old Webserver (POW) –
XML Developer Toolbar –
Public Fox –
XForms Buddy – http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install – http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools – http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab –
User-Agent Switcher –
ServerSwitcher –
HeaderMonitor –
RefControl –
refspoof –
No-Referrer –
LocationBar^2 –
SpiderZilla – http://spiderzilla.mozdev.org/
Slogger –
Fire Encrypter –
Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE – http://www.openqa.org/selenium-ide/
Firebug –
Venkman – http://www.mozilla.org/projects/venkman/
Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey – http://www.greasespot.net/
Greasemonkey compiler – http://www.letitblog.com/greasemonkey-compiler/
User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) –
Bookmarklets that aid in web application security
RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality –http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/
SSL certificate checking / scanning
[ZIP] Foundstone SSLDigger –
Cert Viewer Plus (Firefox Add-on) –
Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
Google Hack Honeypot – http://ghh.sourceforge.net/
PHP.Hop – PHP Honeynet Project –
SpyBye – http://www.monkey.org/~provos/spybye/
Honeytokens – http://www.securityfocus.com/infocus/1713
