Web Application Security Resources
Web Application Security Resource
Here is a list of web application security resource, including testing tools, sites you can test against, etc. Its grouped under:
- Suites and Frameworks
- Vulnerable Web Applications
- Additional Resources
Suites / Frameworks
- Burp Suite
The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers.
- HP WebInspect
An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools.
The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions.
- IBM AppScan
IBM’s enterprise-focused suite.
Acunetix’s enterprise-focused suite.
NTObjectives’s enterprise-focused suite.
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment.
A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google.
Web Assessment Utilities
- Yehg.net Charset Encoder / String Encrypter
A online, feature-rich tool for changing the encoding of input.
- Websecurify Chrome Extension
The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there’s no authentication or detailed view of findings. It’s more of a quick-touch option before you run a real tool.
- XSS Me
The Firefox Extension.
- SQL Inject Me
The Firefox Extension.
- Google Gruyere
This one is from Google and you can do it both online and as a local install.
- zero.webappsecurity.com (HP)
These sites are o.k. to scan.
- demo.testfire.net (IBM)
- test.acunetix.com (Acunetix)
- testphp.vulnweb.com (Acunetix)
- testasp.acunetix.com (Acunetix)
- testaspnet.acunetix.com (Acunetix)
- Hacker Test
This one is not like the others; it’s not a full website you’d scan, but rather more like a puzzle where you proceed through various levels.
Another challenge, similar to Hacker Test.
Download and Configure
- Broken Web Apps Project (OWASP)
This is the one you want first; it has over a dozen broken web apps to play with.
- Web Security Dojo (Maven)
Similar to OWASP’s Broken Web Apps project, i.e. multiple broken web apps in one place.
- Webgoat (OWASP)
This is the grand pubah of the testing sites because it includes training with it. Note that it’s on the Broken Web Apps image listed above.
- Damn Vulnerable Web App
- Hackme Bank (McAfee)
- Hackme Casino (McAfee)
- Hackme Books (McAfee)
- Hackme Shipping (McAfee)
- Hackme Travel (McAfee)
- Moth (Bonsai)
- SecuriBench (Stanford)
- Vicnum (ipsaplus)
All due credit for this article goes to the person who put it up here