Web security tools
Results 1 to 9 of 9

Thread: Web security tools

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    181

    Web security tools

    Well it's about time there was a list of web security tools and where you can get them from.

    So here is what I have come up with. Please feel free to add any more tools that you know about.

    Whisker http://www.wiretrip.net/rfp/
    Looks foe default files that have vulnerabilities

    Achilles http://packetstormsecurity.nl/web/
    man in the middle proxy

    Brutus http://www.hoobie.net/brutus/
    password brute forcer

    Teleport Pro http://www.tenmax.com/teleport/pro/home.htm
    web site mirroring program

    Spike proxy http://www.immunitysec.com/spikeproxy_downloads.html
    A clever program that will inspect a web site

    web scarab http://www.owasp.org
    Still in production, will do a hell a lot of stuff when it's finished

    N stealth http://www.nstalker.com/nstealth/
    Very good web vulnerability scanner (30 days free)

    Web cracker http://online.securityfocus.com/tools/706
    Password brute forcer

    CookieSpy http://www.codeProject.com/shell/cookiespy.asp
    Inspects cookies

    WebSleuth http://geocities.com/dazzie/sleuth
    General tool, a based on IE, but allows you to do all the things IE doesn't let you

    Whitehat arsenal http://community.whitehatsec.com/whitehat_arsenal.html
    A collection of tools (NOT FREE)

    I hope everyone finds this useful

    and a prize to the first person to add a tool to the list (but it has to be a good tool!)

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Web security tools

    Originally posted here by SittingDuck
    Web cracker http://online.securityfoucus.com/tools/706
    Password brute forcer
    Smal typo. Should be http://online.securityfocus.com/tools/706

    Maybe an addition: NetCat and Perl.

  3. #3
    Member
    Join Date
    Mar 2003
    Posts
    30
    In no real particular order....

    NMAP! How did you leave out this one? Go to http://www.insecure.org/nmap/. If you aren't familiar with the grandaddy of all portscanners, where have you been hiding? Go now, learn it. Live it. LOVE IT!!!! There are now stable versions for both *NIX and Windoze.


    Foundstone has a collection of worthwhile tools, mostly for M$ Win-based machines. There are a bunch that they've produced ranging from scanners, to enumeration tools, to forensic tools. Again, go get them now. At the very least pick up SuperScan - it's a very lightweight, very quick, and very user-friendly Windows-based scanner. Great for the ad hoc quick scan of a subnet. Get them at http://www.foundstone.com (Their website just changed, you'll need to navigate to the download section. Looks like it's under "resources")


    John The Ripper. This is an old-school password cracker. Been around for a long time. Get it at http://www.openwall.com/john/ Traditionally a *NIX tool, now there are workable Windows versions.


    L0phtcrack. This is another password cracker specializing in Windows passwords. I haven't worked with it in a native Win2K AD password environment - so I'm not sure how effective it would be. However this product will rip through the Windows NT password scheme, and by extension I would assume Win2K passwords that are backwards compatible to NT. This is a free-to-try, pay to buy software, but well worth it if you need to audit your user's password structure. As an additional tip, if you ever need to convince management about why it's important to implement strong password requirements/force password changes/implement 2-factor authentication --> watching L0phtcrack break 75% of an Enterprise's user account passwords in under 5 minutes will generally be all the motivation they need. Seriously, it's fun to watch their jaws hit the floor. Get it at http://www.@stake.com/research/tools/index.html Windows-based.


    Nessus. This is a really good opensource vulnerability scanner. *NIX-based. Get it at http://www.nessus.org

    SARA. This is a fairly good top 20 vulnerability scanner. *NIX-based. Get it at http://www-arc.com/sara/

    Ethereal. Pretty darn good opensource protocol analyzer (sniffer). Both *NIX and Win flavors. http://www.ethereal.com

    SNORT. Like NMAP - if you don't know SNORT, where've you been hiding? SNORT is a really good open-source intrusion detection package. http://www.snort.org To be honest I think there is now a Win version, but I've only worked with the *NIX based version.


    That's enough for now. Hope it helps.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    SamSpade for Windows http://www.samspade.org/ssw/features.html
    All-in-one network query tool, including about 20 tools.

    http://www.pc-tools.net/
    A general place for neat little tools (for Windows, UNIX/Linux and DOS) like MD5sums and DOS Utilities Collection

    http://www.webattack.com/
    Features a lot of web-related software
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  5. #5
    Member
    Join Date
    Jul 2002
    Posts
    39
    2 more...

    http://www.sysinternals.com/
    Good tools (win*) & source code

    http://packetstormsecurity.nl/
    Advisories, tools & xploits!

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    Thank you all for your input, But the list was intended(sp?) to be tool for web application security. So tool like L0phtcrack, John The Ripper, NMAP, are good tools (and thank you for the links!!!) can not be used to testing web application as they are not designed to do so.

    Nessus and the other vulnerability scanners can be useful, but inly in testing the web server it's self and not the code it's self.

    The the prize is there for the first addition to the list, that is a tool to help in the security testing of web applications.

    Again thank you for your input, but can we keep this list just to web application security testing tool, and not general network testing tool.

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  7. #7
    Junior Member
    Join Date
    Jul 2001
    Posts
    4
    hmmm. I know this thread's getting quite old however...

    You may like to replace Whisker with Nikto (www.cirt.net) - it's based on LibWhisker but seems to get updated a little more regularly. Roll on Whisker 2.1...

    Another useful tool for web application testing is a java decompiler - check out Decafe at decafe.hypermart.net.

    Rgds,

    Raff

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    A good post to an open question, a new toy to have a play with

    I guess you get the prize!

    Anybody else got any more tool they use.

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  9. #9
    woh get nice of it n nice work

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •