Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Web App Testing Tools InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Web App Testing Tools

Published: 2010-04-13
Last Updated: 2011-01-24 23:59:45 UTC
by Adrien de Beaupre (Version: 2)
3 comment(s)

As security testers we tend to always be on the lookout for new or updated tools to test the security of web based applications. Some of these are of course commercial, but most of us also make extensive use of the free and/or open source offerings. In no particular order here are the ones I am currently making use of:

Burp Suite -
Fiddler2 -
Watcher -
Ratproxy -
Grendel Scan -
W3AF -
Skipfish -
Exploit-me -
Wikto -
Tamper data -
Wmap -
Nikto -

Special mention to Samurai WTF -

Please let us know if there are any I haven't mentioned that you find useful, and why! I'll add them to an update of the list after wards.

firebug -
webscarab -
curl and wget
Various versions of different web browsers
Various scripts in different scripting languages

I've deliberately decided to exclude commercial scanners, either web application specific or network scanners that can also do some web application tests.

Adrien de Beaupré Inc.

3 comment(s)
Diary Archives