| IEHttpHeaders tool, which help uncover what is being sent between pages. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| the Paros tool helps uncover what is being sent between pages. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| SPIKE Proxy ” tests parameter manipulation and CGI buffer overflow. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| SSLDigger is available on the Foundstone website : go to resources, then free tools. It allows you to test an SSL-enabled web server to determine which encryption algorithms it supports. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| Wget is included with most Linux and BSD distributions. It’s a simple yet powerful command-line tool for accessing, downloading, or mirroring Web server content. Also libraries. |
| cURL is a command line tool that is also a pen tester. It has similar functionality to Wget. |
| Blackwidow - a web spider or crawler tool. 30-day free trial is available, tool costs 39.95 after that. |
| Cygwin , which is a Unix environment for Windows. Provides, for example, the grep utility on a Windows system. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| The Regulator - helps create search expressions for grep. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| FITScanner is available on the CD that comes with the book How To Break Software Security, by James Whittaker and Herbert Thompson. |
| Nikto, helps to find known vulnerabilities in a web server. |
| Wikto adds to Nikto the Google Hacking Database and using the Google search engine to case your client. |
| GHDB, a database of hacks. |
| Stunnel allows you to set up a tunnel to a machine using Secure Sockets Layer. Stunnel is the “Universal SSL Wrapper” : it can be both a server and a client. |
| IISLockdown , a tool for locking down servers. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| TextPad A useful text editor which can display and edit almost any file, and you can get free syntax definition files, so that TextPad appropriately highlights and indents documents (like Perl programs). – basic product isn’t free, add ons are free. |
| Cookie Pal - allows users more fine grained control over what cookies they will accept or reject. |
| Cookie Crusher - allows users more fine grained control over what cookies they will accept or reject. |
| lang=NO-BOK http://www.securityspace.com/s_survey/data/man.200507/cookieReport.html |
| link to FAQ pages on cookies |
| paper on session fixation |
| BBCode |
| Examples of things to filter for . |
| For more information on SQL injection techniques. |
| chroot command for Apache servers. |
| RainForrestPuppy, a pioneer of Web application security testing. |
| checklist for locking down an application and Microsoft SQL Server. |
| Ethereal (a network monitoring tool) . |
| J0hnny (of Google hacking fame ). |
| HTTPrint identifies web server and version by differences in responses to requests. |
| SiteDigger from Foundstone executes Google searches to see if your site is vulnerable to known Web server bugs. |
| BugTraq site that lists security vulnerabilites of web servers. |
| CERT site that lists security vulnerabilites of web servers. |
| Brutus a tool for brute force hacking of authentication. |
| Information on Cross-Site Tracing. |
No. Before performing a data comparison SQL Delta needs to load the schema (structure) of every database and then, needs to compare each table to see if the columns (fields) match.
1. Test Plan Identifier
2. References
3. Introduction
4. Test Items
5. Software Risk Issues
6. Features to be Tested
7. Features not to be Tested
8. Approach
9. Item Pass/Fail Criteria
10. Suspension Criteria and Resumption Requirements
11. Test Deliverables
12. Remaining Test Tasks
13. Environmental Needs
14. Staffing and Training Needs
15. Responsibilities
16. Schedule
17. Planning Risks and Contingencies
18. Approvals
19. Glossary Read more…
MITE – Free version of MITE, from Keynote Systems Inc., for mobile content testing. Desktop testing tool with 1,600+ device profiles and 11,000 user agent strings. Test and validate mobile content quickly across numerous device/ mobile OS/ mobile browser combinations navigating mobile sites, checking for broken. Provides information including source code, redirects, protocol details, oversized objects, and device compatibility checks.
Vantage for Server Performance – Service from Compuware examines applications, servers and databases to proactively identify performance problems. Uses agentless and agent-based monitoring and is for businesses with applications that must meet high service levels. Works with a variety of databases, middleware, ERP.
SPIKE Proxy – Free tool from Immunity Inc. Not all web applications are built in the same ways, and hence, many must be analyzed individually. SPIKE Proxy is a professional-grade tool for looking for application-level vulnerabilities in web applications. It covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows. Note: requires a working install of Python and pyOpenSSL on Linux. This is included in the Windows distribution.
Recent Comments