LiveCDs
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso -
DVL (Damn Vulnerable Linux) -

Test sites / testing grounds
SPI Dynamics (live) -
Cenzic (live) -
Watchfire (live) -
Acunetix (live) -
WebMaven / Buggy Bank -
Foundstone SASS tools -
Updated HackmeBank -
OWASP WebGoat -
OWASP SiteGenerator -
Stanford SecuriBench -
SecuriBench Micro -

HTTP proxying / editing
WebScarab -
Burp -
Paros -
Fiddler -
Web Proxy Editor -
Pantera -
Suru -
httpedit (curses-based) -
Charles -
Odysseus -
Burp, Paros, and WebScarab for Mac OS X -
Web-application scanning tool from `Network Security Tools'/O'Reilly -
JS Commander -
Ratproxy -

RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz -
ProxMon -
Wapiti -
Grabber -
XSSScan -
CAL9000 -
HTMangLe -
JBroFuzz -
XSSFuzz -
WhiteAcid's XSS Assistant -
Overlong UTF -
[TGZ] MielieTool (SensePost Research) -
RegFuzzer: test your regular expression filter -
screamingCobra -
SPIKE and SPIKE Proxy -
RFuzz -
WebFuzz -
TestMaker -
ASP Auditor -
WSTool -
Web Hack Control Center (WHCC) -
Web Text Converter -
HackBar (Firefox Add-on) -
Net-Force Tools (NF-Tools, Firefox Add-on) -
PostIntercepter (Greasemonkey script) -

HTTP general testing / fingerprinting
Wbox: HTTP testing tool -
ht://Check -
Mumsie -
WebInject -
Torture.pl Home Page -
JoeDog's Seige -
OPEN-LABS: metoscan (http method testing) -
Load-balancing detector -
HMAP -
Net-Square: httprint -
Wpoison: http stress testing -
Net-square: MSNPawn -
hcraft: HTTP Vuln Request Crafter -
rfp.labs: LibWhisker -
Nikto -
twill -
DirBuster -
[ZIP] DFF Scanner -
[ZIP] The Elza project -
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled -

Browser-based HTTP tampering / editing / replaying
TamperIE -
isr-form -
Modify Headers (Firefox Add-on) -
Tamper Data (Firefox Add-on) -
UrlParams (Firefox Add-on) -
TestGen4Web (Firefox Add-on) -
DOM Inspector / Inspect This (Firefox Add-on) -
LiveHTTPHeaders / Header Monitor (Firefox Add-on) -

Cookie editing / poisoning
[TGZ] stompy: session id tool -
Add'N Edit Cookies (AnEC, Firefox Add-on) -
CookieCuller (Firefox Add-on) -
CookiePie (Firefox Add-on) -
CookieSpy -
Cookies Explorer -

Ajax and XHR scanning
Sahi -
scRUBYt -
jQuery -
jquery-include -
Sprajax -
Watir -
Watij -
Watin -
RBNarcissus -
SpiderTest (Spider Fuzz plugin) -
Javascript Inline Debugger (jasildbg) -
Firebug Lite -
firewaitr -

RSS extensions and caching
LiveLines (Firefox Add-on) -
rss-cache -

SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc -
SQLiX -
sqlninja: a SQL Server injection and takover tool -
JustinClarke's SQL Brute -
BobCat -
sqlmap -
Scully: SQL Server DB Front-End and Brute-Forcer -
FG-Injector -
PRIAMOS -

Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework -
Jikto -
XSS Shell -
XSS-Proxy -
AttackAPI -
FFsniFF -
HoneyBlog's web-based junkyard -
BeEF -
Firefox Extension Scanner (FEX) -
What is my IP address? -
xRumer: blogspam automation tool -
SpyJax -
Greasecarnaval -
Technika -
Load-AttackAPI bookmarklet -
MD's Projects: JS port scanner, pinger, backdoors, etc -

Web application services that aid in web application security assessment
Netcraft -
AboutURL -
The Scrutinizer -
net.toolkit -
ServerSniff -
Online Microsoft script decoder -
Webmaster-Toolkit -
myIPNeighbbors, et al -
PHP charset encoding -
data: URL testcases -

Browser-based security fuzzing / checking
Zalewski's MangleMe -
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan -
Peach Fuzzer Framework -
TagBruteForcer -
PROTOS Test-Suite: c05-http-reply -
COMRaider -
bcheck -
Stop-Phishing: Projects page -
LinkScanner -
BrowserCheck -
Cross-browser Exploit Tests -
Stealing information using DNS pinning demo -
Javascript Website Login Checker -
Mozilla Activex -
Jungsonn's Black Dragon Project -
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) -
Vulnerable Adobe Plugin Detection For UXSS PoC -
About Flash: is your flash up-to-date? -
Test your installation of Java software -
WebPageFingerprint - Light-weight Greasemonkey Fuzzer -

PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP -
Unl0ck Research Team: tool for searching in google for include bugs -
FIS: File Inclusion Scanner -
PHPSecAudit -

PHP Defensive Tools
PHPInfoSec - Check phpinfo configuration for security -

A Greasemonkey Replacement can be found at

Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc.

PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic

php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code.

PHPMySpamFIGHTER -

Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia -
PHP Intrusion Detection System (PHP-IDS) -
dotnetids -
Secure Science InterScout -
Remo: whitelist rule editor for mod_security -
GotRoot: ModSecuirty rules -
The Web Security Gateway (WSGW) -
mod_security rules generator -
Mod_Anti_Tamper -
[TGZ] Automatic Rules Generation for Mod_Security -
AQTRONIX WebKnight -
Akismet: blog spam defense -
Samoa: Formal tools for securing web services -

Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 -
Net-square: wsChess -
WSFuzzer -
SIFT: web method search tool -
iSecPartners: WSMap, WSBang, etc -

Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities -
Brixoft.Net: Source Edit -
Security compass web application auditing tools (SWAAT) -
An even more complete list here -
A nice list that claims some demos available -
A smaller, but also good list -

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS -
ITS4 -
FlawFinder -
Splint -
Uno -
BOON (Buffer Overrun detectiON) -
Valgrind -

Java static analysis, security frameworks, and web application security tools
LAPSE -
HDIV Struts -
Orizon -
FindBugs: Find bugs in Java programs -
PMD -
CUTE: A Concolic Unit Testing Engine for C and Java -
EMMA -
JLint -
Java PathFinder -
Fujaba: Move between UML and Java source code -
Checkstyle -
Cookie Revolver Security Framework -
tinapoc -
jarsigner -
Solex -
Java Explorer -
HTTPClient -
another HttpClient -
a list of code coverage and analysis tools for Java -

Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Visual Studio 2008 Code Analysis, available in:
VSTS 2008 Development Edition () and
VSTS 2008 Team Suite ()
Visual Studio 2005 Code Analyzer, available in:
Visual Studio 2005 Team Edition for Software Developers ()
Visual Studio 2005 Team Suite ()
Web Development Helper -
FxCop:
(blog)
(download)
Microsoft internal tools you can't have yet:

Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) -
Amenaza: Attack Tree Modeling (SecurITree) -
Octotrike -

Add-ons for Firefox that help with general web application security
Web Developer Toolbar -
Plain Old Webserver (POW) -
XML Developer Toolbar -
Public Fox -
XForms Buddy -
MR Tech Local Install -
Nightly Tester Tools -
IE Tab -
User-Agent Switcher -
ServerSwitcher -
HeaderMonitor -
RefControl -
refspoof -
No-Referrer -
LocationBar^2 -
SpiderZilla -
Slogger -
Fire Encrypter -

Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE -
Firebug -
Venkman -
Chickenfoot -
Greasemonkey -
Greasemonkey compiler -
User script compiler -
Extension Developer's Extension (Firefox Add-on) -
Smart Middle Click (Firefox Add-on) -

Bookmarklets that aid in web application security
RSnake's security bookmarklets -
BMlets -
Huge list of bookmarklets -
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality -
Bookmarklets every blogger should have -
Flat Bookmark Editing (Firefox Add-on) -
OpenBook and Update Bookmark (Firefox Add-ons) -

SSL certificate checking / scanning
[ZIP] THCSSLCheck -
[ZIP] Foundstone SSLDigger -
Cert Viewer Plus (Firefox Add-on) -

Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient -
HoneyC: the low-interaction honeyclient -
Capture: a high-interaction honeyclient -
Google Hack Honeypot -
PHP.Hop - PHP Honeynet Project -
SpyBye -
Honeytokens -

Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) -
SEO for Firefox (Firefox Add-on) -
SEOQuake (Firefox Add-on) -

Footprinting for web application security
Evolution -
GooSweep -
Aura: Google API Utility Tools -
Edge-Security tools -
Fierce Domain Scanner -
Googlegath -
Advanced Dork (Firefox Add-on) -
Passive Cache (Firefox Add-on) -
CacheOut! (Firefox Add-on) -
BugMeNot Extension (Firefox Add-on) -
TrashMail.net Extension (Firefox Add-on) -
DiggiDig (Firefox Add-on) -
Digger (Firefox Add-on) -

Database security assessment
Scuba by Imperva Database Vulnerability Scanner -

Browser Defenses
DieHard -
LocalRodeo (Firefox Add-on) -
NoMoXSS -
Request Rodeo -
FlashBlock (Firefox Add-on) -
CookieSafe (Firefox Add-on) -
NoScript (Firefox Add-on) -
FormFox (Firefox Add-on) -
Adblock (Firefox Add-on) -
httpOnly in Firefox (Firefox Add-on) -
SafeCache (Firefox Add-on) -
SafeHistory (Firefox Add-on) -
PrefBar (Firefox Add-on) -
All-in-One Sidebar (Firefox Add-on) -
QArchive.org web file checker (Firefox Add-on) -
Update Notified (Firefox Add-on) -
FireKeeper -
Greasemonkey: XSS Malware Script Detector -

Browser Privacy
TrackMeNot (Firefox Add-on) -
Privacy Bird -

Application and protocol fuzzing (random instead of targeted)
Sulley -
taof: The Art of Fuzzing -
zzuf: multipurpose fuzzer -
autodafé: an act of software torture -
EFS and GPF: Evolutionary Fuzzing System -