The majorty of the tools here can be found at OSWAP’s website, https://www.owasp.org.
A tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It’s a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project. It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.
License: Creative Commons Attribution Share Alike 3.0
Python Static Analysis
During 2007 Dmitry Kozlov, Igor Konnov and Georgy Klimov prototyped taint-style static analysis for Python web applications. This tool is based on Pixy project. It is able to find input validation security vulnerabilities in Python-based web applications. This tool is currently in alfa release. It supports limited subset of Python: functions, modules, classes and data structures, but not generators, comprehensions, lambda-functions etc. And it has support only mod_python web applications.
WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name ‘WebGoat’? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
Rogan Dawes’s git tree
OWASP Hatkit Proxy Project
The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, i.e. all kinds of analysis which is currently implemented by the proxies themselves (webscarab/burp/paros etc).
Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic.
OWASP Hatkit Datafiddler Project
The Hatkit Datafiddler is a tool for performing analysis of captured http traffic. It currently consists of two main views, one table-based and one tree-based. These views allow the user to study different aspects of the http traffic, with very high degree of configurability. The tool is also meant to be a framework which can utilize existing tools analyze traffic.
It is written in Python with a Qt-based UI and uses a MongoDB database. It has a sister-project, which is the Hatkit Proxy
A great tool for analyzing network traffic.
Another network analyzing tool. More user friendly then WireShark and does a great job organizing the network information for you.
A file carving tool written in python.