Security Tools

The majorty of the tools here can be found at OSWAP’s website, https://www.owasp.org.

Code Crawler

About Info:

A tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It’s a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project. It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.
License: Creative Commons Attribution Share Alike 3.0

http://codecrawler.codeplex.com/

Python Static Analysis

Wiki Info:

During 2007 Dmitry Kozlov, Igor Konnov and Georgy Klimov prototyped taint-style static analysis for Python web applications. This tool is based on Pixy project. It is able to find input validation security vulnerabilities in Python-based web applications. This tool is currently in alfa release. It supports limited subset of Python: functions, modules, classes and data structures, but not generators, comprehensions, lambda-functions etc. And it has support only mod_python web applications.

http://code.google.com/p/owasp-python-static-analysis/

WebGoat

Wiki Info:

WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name ‘WebGoat’? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

http://code.google.com/p/webgoat/downloads/list

WebScarab

Wiki Info:

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

Rogan Dawes’s git tree

http://dawes.za.net/gitweb.cgi

OWASP Hatkit Proxy Project

Wiki Info:

The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, i.e. all kinds of analysis which is currently implemented by the proxies themselves (webscarab/burp/paros etc).
Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic.

https://www.owasp.org/index.php/OWASP_Hatkit_Proxy_Project

OWASP Hatkit Datafiddler Project

Wiki Info:

The Hatkit Datafiddler is a tool for performing analysis of captured http traffic. It currently consists of two main views, one table-based and one tree-based. These views allow the user to study different aspects of the http traffic, with very high degree of configurability. The tool is also meant to be a framework which can utilize existing tools analyze traffic.
It is written in Python with a Qt-based UI and uses a MongoDB database. It has a sister-project, which is the Hatkit Proxy

https://www.owasp.org/index.php/OWASP_Hatkit_Datafiddler_Project

 

WireShark
A great tool for analyzing network traffic.

 

Network Miner
Another network analyzing tool. More user friendly then WireShark and does a great job organizing the network information for you.

 

Scalpel

A file carving tool written in python.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s