Web security tools

[SittingDuck]

Well it's about time there was a list of web security tools and where you can get them from.

So here is what I have come up with. Please feel free to add any more tools that you know about.

Whisker http://www.wiretrip.net/rfp/
Looks foe default files that have vulnerabilities

Achilles http://packetstormsecurity.nl/web/
man in the middle proxy

Brutus http://www.hoobie.net/brutus/
password brute forcer

Teleport Pro http://www.tenmax.com/teleport/pro/home.htm
web site mirroring program

Spike proxy http://www.immunitysec.com/spikeproxy_downloads.html
A clever program that will inspect a web site

web scarab http://www.owasp.org
Still in production, will do a hell a lot of stuff when it's finished

N stealth http://www.nstalker.com/nstealth/
Very good web vulnerability scanner (30 days free)

Web cracker http://online.securityfocus.com/tools/706
Password brute forcer

CookieSpy http://www.codeProject.com/shell/cookiespy.asp
Inspects cookies

WebSleuth http://geocities.com/dazzie/sleuth
General tool, a based on IE, but allows you to do all the things IE doesn't let you

Whitehat arsenal http://community.whitehatsec.com/whitehat_arsenal.html
A collection of tools (NOT FREE)

I hope everyone finds this useful

and a prize to the first person to add a tool to the list (but it has to be a good tool!)

SittingDuck

[SirDice]

Originally posted here by SittingDuck
Web cracker http://online.securityfoucus.com/tools/706
Password brute forcer

Smal typo. Should be http://online.securityfocus.com/tools/706

Maybe an addition: NetCat and Perl.

[amazingzarkon]

In no real particular order....

NMAP! How did you leave out this one? Go to http://www.insecure.org/nmap/. If you aren't familiar with the grandaddy of all portscanners, where have you been hiding? Go now, learn it. Live it. LOVE IT!!!! There are now stable versions for both *NIX and Windoze.


Foundstone has a collection of worthwhile tools, mostly for M$ Win-based machines. There are a bunch that they've produced ranging from scanners, to enumeration tools, to forensic tools. Again, go get them now. At the very least pick up SuperScan - it's a very lightweight, very quick, and very user-friendly Windows-based scanner. Great for the ad hoc quick scan of a subnet. Get them at http://www.foundstone.com (Their website just changed, you'll need to navigate to the download section. Looks like it's under "resources")


John The Ripper. This is an old-school password cracker. Been around for a long time. Get it at http://www.openwall.com/john/ Traditionally a *NIX tool, now there are workable Windows versions.


L0phtcrack. This is another password cracker specializing in Windows passwords. I haven't worked with it in a native Win2K AD password environment - so I'm not sure how effective it would be. However this product will rip through the Windows NT password scheme, and by extension I would assume Win2K passwords that are backwards compatible to NT. This is a free-to-try, pay to buy software, but well worth it if you need to audit your user's password structure. As an additional tip, if you ever need to convince management about why it's important to implement strong password requirements/force password changes/implement 2-factor authentication --> watching L0phtcrack break 75% of an Enterprise's user account passwords in under 5 minutes will generally be all the motivation they need. Seriously, it's fun to watch their jaws hit the floor. Get it at http://[email protected]/research/tools/index.html Windows-based.


Nessus. This is a really good opensource vulnerability scanner. *NIX-based. Get it at http://www.nessus.org

SARA. This is a fairly good top 20 vulnerability scanner. *NIX-based. Get it at http://www-arc.com/sara/

Ethereal. Pretty darn good opensource protocol analyzer (sniffer). Both *NIX and Win flavors. http://www.ethereal.com

SNORT. Like NMAP - if you don't know SNORT, where've you been hiding? SNORT is a really good open-source intrusion detection package. http://www.snort.org To be honest I think there is now a Win version, but I've only worked with the *NIX based version.


That's enough for now. Hope it helps.

[ZeroOne]

SamSpade for Windows http://www.samspade.org/ssw/features.html
All-in-one network query tool, including about 20 tools.

http://www.pc-tools.net/
A general place for neat little tools (for Windows, UNIX/Linux and DOS) like MD5sums and DOS Utilities Collection

http://www.webattack.com/
Features a lot of web-related software

[grobyccil]

2 more...

http://www.sysinternals.com/
Good tools (win*) & source code

http://packetstormsecurity.nl/
Advisories, tools & xploits!

[SittingDuck]

Thank you all for your input, But the list was intended(sp?) to be tool for web application security. So tool like L0phtcrack, John The Ripper, NMAP, are good tools (and thank you for the links!!!) can not be used to testing web application as they are not designed to do so.

Nessus and the other vulnerability scanners can be useful, but inly in testing the web server it's self and not the code it's self.

The the prize is there for the first addition to the list, that is a tool to help in the security testing of web applications.

Again thank you for your input, but can we keep this list just to web application security testing tool, and not general network testing tool.

SittingDuck

[raffles]

hmmm. I know this thread's getting quite old however...

You may like to replace Whisker with Nikto (www.cirt.net) - it's based on LibWhisker but seems to get updated a little more regularly. Roll on Whisker 2.1...

Another useful tool for web application testing is a java decompiler - check out Decafe at decafe.hypermart.net.

Rgds,

Raff

[SittingDuck]

A good post to an open question, a new toy to have a play with

I guess you get the prize!

Anybody else got any more tool they use.

SittingDuck

[eXterNaLity]

woh get nice of it n nice work