要學習使用的安全工具

最近在開始學習一些安全工具的使用，往bt4上裝了不少
Test sites / testing grounds
SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) â http://crackme.cenzic.com/
Watchfire (live) â http://demo.testfire.net/
Acunetix (live) â http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank â http://www.mavensecurity.com/webmaven
Foundstone SASS tools â http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank â http://www.o2-ounceopen.com/technical-i … ebank.html
OWASP WebGoat â http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator â http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench â http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro â http://suif.stanford.edu/~livshits/work … nch-micro/

HTTP proxying / editing
WebScarab â http://www.owasp.org/index.php/Category … ab_Project
Burp â http://www.portswigger.net/
Paros â http://www.parosproxy.org/
Fiddler â http://www.fiddlertool.com/
Web Proxy Editor â http://www.microsoft.com/mspress/compan … 56-2187-X/
Pantera â http://www.owasp.org/index.php/Category … io_Project
Suru â http://www.sensepost.com/research/suru/
httpedit (curses-based) â http://www.neutralbit.com/en/rd/httpedit/
Charles â http://www.xk72.com/charles/
Odysseus â http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X â http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Toolsâ/OâReilly â http://examples.oreilly.com/networkst/
JS Commander â http://jscmd.rubyforge.org/
Ratproxy â http://code.google.com/p/ratproxy/

RSnakeâs XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz â http://www.edge-security.com/wfuzz.php
ProxMon â http://www.isecpartners.com/proxmon.html
Wapiti â http://wapiti.sourceforge.net/
Grabber â http://rgaucher.info/beta/grabber/
XSSScan â http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 â http://www.owasp.org/index.php/Category … 00_Project
HTMangLe â http://www.fishnetsecurity.com/Tools/HT … ublish.htm
JBroFuzz â http://sourceforge.net/projects/jbrofuzz
XSSFuzz â http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcidâs XSS Assistant â http://www.whiteacid.org/greasemonkey/
Overlong UTF â http://www.microsoft.com/mspress/compan … 56-2187-X/
[TGZ] MielieTool (SensePost Research) â http://packetstormsecurity.org/UNIX/uti … s-v1.0.tgz
RegFuzzer: test your regular expression filter â http://rgaucher.info/b/index.php/post/2 … ion-filter
screamingCobra â http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy â http://immunitysec.com/resources-freesoftware.shtml
RFuzz â http://rfuzz.rubyforge.org/
WebFuzz â http://www.codebreakers-journal.com/ind … d=99999999
TestMaker â http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor â http://michaeldaw.org/projects/asp-auditor-v2/
WSTool â http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) â http://ussysadmin.com/whcc/
Web Text Converter â http://www.microsoft.com/mspress/compan … 56-2187-X/
HackBar (Firefox Add-on) â https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) â http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) â http://userscripts.org/scripts/show/743

HTTP general testing / fingerprinting
Wbox: HTTP testing tool â http://hping.org/wbox/
ht://Check â http://htcheck.sourceforge.net/
Mumsie â http://www.lurhq.com/tools/mumsie.html
WebInject â http://www.webinject.org/
Torture.pl Home Page â http://stein.cshl.org/~lstein/torture/
JoeDogâs Seige â http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) â http://www.open-labs.org/
Load-balancing detector â http://ge.mine.nu/lbd.html
HMAP â http://ujeni.murkyroc.com/hmap/
Net-Square: httprint â http://net-square.com/httprint/
Wpoison: http stress testing â http://wpoison.sourceforge.net/
Net-square: MSNPawn â http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter â http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker â http://www.wiretrip.net/rfp/lw.asp
Nikto â http://www.cirt.net/code/nikto.shtml
twill â http://twill.idyll.org/
DirBuster â http://www.owasp.org/index.php/Category … er_Project
[ZIP] DFF Scanner â http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project â http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled â http://sf.net/projects/hackfox

Browser-based HTTP tampering / editing / replaying
TamperIE â http://www.bayden.com/Other/
isr-form â http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) â http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) â http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) â http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/

Cookie editing / poisoning
[TGZ] stompy: session id tool â http://lcamtuf.coredump.cx/stompy.tgz
AddâN Edit Cookies (AnEC, Firefox Add-on) â http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) â http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) â http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy â http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer â http://www.dutchduck.com/Features/Cookies.aspx

Ajax and XHR scanning
Sahi â http://sahi.co.in/
scRUBYt â http://scrubyt.org/
jQuery â http://jquery.com/
jquery-include â http://www.gnucitizen.org/projects/jquery-include
Sprajax â http://www.denimgroup.com/sprajax.html
Watir â http://wtr.rubyforge.org/
Watij â http://watij.com/
Watin â http://watin.sourceforge.net/
RBNarcissus â http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) â http://blog.caboo.se/articles/2007/2/21 … uzz-plugin
Javascript Inline Debugger (jasildbg) â http://jasildbg.googlepages.com/
Firebug Lite â http://www.getfirebug.com/lite.html
firewaitr â http://code.google.com/p/firewatir/

RSS extensions and caching
LiveLines (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache â http://www.dubfire.net/chris/projects/rss-cache/

SQL injection scanning
0Ã90.org: home of Absinthe, Mezcal, etc â http://0Ã90.org/releases.php
SQLiX â http://www.owasp.org/index.php/Category … iX_Project
sqlninja: a SQL Server injection and takover tool â http://sqlninja.sourceforge.net/
JustinClarkeâs SQL Brute â http://www.justinclarke.com/archives/20 … brute.html
BobCat â http://www.northern-monkee.co.uk/projec … obcat.html
sqlmap â http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer â http://www.sensepost.com/research/scully/
FG-Injector â http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS â http://www.priamos-project.com/

Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework â http://w3af.sourceforge.net/
Jikto â http://busin3ss.name/jikto-in-the-wild/
XSS Shell â http://ferruh.mavituna.com/article/?1338
XSS-Proxy â http://xss-proxy.sourceforge.net
AttackAPI â http://www.gnucitizen.org/projects/attackapi/
FFsniFF â http://azurit.elbiahosting.sk/ffsniff/
HoneyBlogâs web-based junkyard â http://honeyblog.org/junkyard/web-based/
BeEF â http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) â http://www.gnucitizen.org/projects/fex/
What is my IP address? â http://reglos.de/myaddress/
xRumer: blogspam automation tool â http://www.botmaster.net/movies/XFull.htm
SpyJax â http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval â http://www.gnucitizen.org/projects/greasecarnaval
Technika â http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet â http://www.gnucitizen.org/projects/load … ookmarklet
MDâs Projects: JS port scanner, pinger, backdoors, etc â http://michaeldaw.org/my-projects/

Web application services that aid in web application security assessment
Netcraft â http://www.netcraft.net
AboutURL â http://www.abouturl.com/
The Scrutinizer â http://www.scrutinizethis.com/
net.toolkit â http://clez.net/
ServerSniff â http://www.serversniff.net/
Online Microsoft script decoder â http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit â http://www.webmaster-toolkit.com/
myIPNeighbbors, et al â http://digg.com/security/MyIPNeighbors_ … IP_Address
PHP charset encoding â http://h4k.in/encoding
data: URL testcases â http://h4k.in/dataurl

Browser-based security fuzzing / checking
Zalewskiâs MangleMe â http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdmâs tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan â http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework â http://peachfuzz.sourceforge.net/
TagBruteForcer â http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply â http://www.ee.oulu.fi/research/ouspg/pr … index.html
COMRaider â http://labs.idefense.com
bcheck â http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page â http://www.indiana.edu/~phishing/?projects
LinkScanner â http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck â http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests â http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo â http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker â http://ha.ckers.org/weird/javascript-we … ecker.html
Mozilla Activex â http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonnâs Black Dragon Project â http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) â http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC â http://www.0Ã000000.com/?i=324
About Flash: is your flash up-to-date? â http://www.macromedia.com/software/flash/about/
Test your installation of Java software â http://java.com/en/download/installed.j … =jre&try=1
WebPageFingerprint â Light-weight Greasemonkey Fuzzer â http://userscripts.org/scripts/show/30285

PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP â http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs â http://unl0ck.net/tools.php
FIS: File Inclusion Scanner â http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit â http://developer.spikesource.com/projects/phpsecaudit

PHP Defensive Tools
PHPInfoSec â Check phpinfo configuration for security â http://phpsec.org/projects/phpsecinfo/

A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
Php-Brute-Force-Attack Detector â Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php … detect.zip
PHP-Login-Info-Checker â Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic

http://yehg.net/lab/pr0js/files.php/log … erv0.1.zip

http://yehg.net/lab/pr0js/files.php/php … r_demo.zip
php-DDOS-Shield â A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/
PHPMySpamFIGHTER â http://yehg.net/lab/pr0js/files.php/php … ighter.zip http://yehg.net/lab/pr0js/files.php/php … r_demo.rar

Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia â http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) â http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids â http://code.google.com/p/dotnetids/
Secure Science InterScout â http://www.securescience.com/home/newsa … ut1.0.html
Remo: whitelist rule editor for mod_security â http://remo.netnea.com/
GotRoot: ModSecuirty rules â http://www.gotroot.com/tiki-index.php?p … rity+rules
The Web Security Gateway (WSGW) â http://wsgw.sourceforge.net/
mod_security rules generator â http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper â http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security â http://www.wisec.it/rdr.php?fn=/Project … -matic.tgz
AQTRONIX WebKnight â http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense â http://akismet.com/
Samoa: Formal tools for securing web services â http://research.microsoft.com/projects/samoa/

Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 â http://www.codeplex.com/WebserviceStudio
Net-square: wsChess â http://net-square.com/wschess/index.shtml
WSFuzzer â http://www.owasp.org/index.php/Category … er_Project
SIFT: web method search tool â http://www.sift.com.au/73/171/sift-web- … h-tool.htm
iSecPartners: WSMap, WSBang, etc â http://www.isecpartners.com/tools.html

Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities â http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit â http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) â http://www.owasp.org/index.php/Category … AT_Project
An even more complete list here â http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available â http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list â http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS â http://www.securesoftware.com/resources … _rats.html
ITS4 â http://www.cigital.com/its4/
FlawFinder â http://www.dwheeler.com/flawfinder/
Splint â http://www.splint.org/
Uno â http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) â http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind â http://www.valgrind.org/

Java static analysis, security frameworks, and web application security tools
LAPSE â http://suif.stanford.edu/~livshits/work/lapse/
HDIV Struts â http://hdiv.org/
Orizon â http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs â http://findbugs.sourceforge.net/
PMD â http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java â http://osl.cs.uiuc.edu/~ksen/cute/
EMMA â http://emma.sourceforge.net/
JLint â http://jlint.sourceforge.net/
Java PathFinder â http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code â http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle â http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework â http://sourceforge.net/projects/cookie-revolver
tinapoc â http://sourceforge.net/projects/tinapoc
jarsigner â http://java.sun.com/j2se/1.5.0/docs/too … igner.html
Solex â http://solex.sourceforge.net/
Java Explorer â http://metal.hurlant.com/jexplore/
HTTPClient â http://www.innovation.ch/java/HTTPClient/
another HttpClient â http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java â http://mythinkpond.blogspot.com/2007/06 … tware.html

Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Visual Studio 2008 Code Analysis, available in:
VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/prod … 33752.aspx) and
VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/prod … 33735.aspx)
Visual Studio 2005 Code Analyzer, available in:
Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Web Development Helper â http://www.nikhilk.net/Project.WebDevHelper.aspx
FxCop:
(blog) http://blogs.msdn.com/fxcop/
(download) http://code.msdn.microsoft.com/codeanalysis
Microsoft internal tools you canât have yet:
http://www.microsoft.com/windows/cse/pa_projects.mspx
http://research.microsoft.com/Pex/
http://www.owasp.org/images/5/5b/OWASP_ … zzGuru.pdf

Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) â http://www.microsoft.com/downloads/deta … laylang=en
Amenaza: Attack Tree Modeling (SecurITree) â http://www.amenaza.com/software.php
Octotrike â http://www.octotrike.org/

Add-ons for Firefox that help with Javascript and Ajax web application security
Selenium IDE â http://www.openqa.org/selenium-ide/
Firebug â http://www.joehewitt.com/software/firebug/
Venkman â http://www.mozilla.org/projects/venkman/
Chickenfoot â http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey â http://www.greasespot.net/
Greasemonkey compiler â http://www.letitblog.com/greasemonkey-compiler/
User script compiler â http://arantius.com/misc/greasemonkey/script-compiler
Extension Developerâs Extension (Firefox Add-on) â http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/3885/

Bookmarklets that aid in web application security
RSnakeâs security bookmarklets â http://ha.ckers.org/bookmarklets.html
BMlets â http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets â http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality â http://www.blummy.com/
Bookmarklets every blogger should have â http://www.micropersuasion.com/2005/10/ … ts_ev.html
Flat Bookmark Editing (Firefox Add-on) â http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) â http://www.chuonthis.com/extensions/

SSL certificate checking / scanning
[ZIP] THCSSLCheck â http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger â http://www.foundstone.com/us/resources/ … digger.zip
Cert Viewer Plus (Firefox Add-on) â https://addons.mozilla.org/firefox/1964/

Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient â http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient â http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient â http://capture-hpc.sourceforge.net/
Google Hack Honeypot â http://ghh.sourceforge.net/
PHP.Hop â PHP Honeynet Project â http://www.rstack.org/phphop/
SpyBye â http://www.monkey.org/~provos/spybye/
Honeytokens â http://www.securityfocus.com/infocus/1713

Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) â http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) â http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) â http://www.seoquake.com/

Footprinting for web application security
Evolution â http://www.paterva.com/evolution-e.html
GooSweep â http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools â http://www.sensepost.com/research/aura/
Edge-Security tools â http://www.edge-security.com/soft.php
Fierce Domain Scanner â http://ha.ckers.org/fierce/
Googlegath â http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) â https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) â https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) â http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) â https://addons.mozilla.org/en-US/firefox/addon/1467/

Database security assessment
Scuba by Imperva Database Vulnerability Scanner â http://www.imperva.com/scuba/

Browser Privacy
TrackMeNot (Firefox Add-on) â https://addons.mozilla.org/firefox/3173/
Privacy Bird â http://www.privacybird.com/

Application and protocol fuzzing (random instead of targeted)
Sulley â http://fuzzing.org/
taof: The Art of Fuzzing â http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer â http://sam.zoy.org/zzuf/
autodafÃ©: an act of software torture â http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System â http://www

要學習使用的安全工具

相關文章