My favorite 10 web application fuzzing tools in fuzzy order
2016-11-25 14:57
399 查看
1. SPIKE Proxy
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize
it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.
2. WebScarab
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
3. Burp Intruder
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application vulnerabilities such as SQL injection, cross-site scripting, buffer
overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and
application-layer denial-of-service attacks.
4. Wapiti
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.
6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.
7. SPI Fuzzer (member of SPI Dynamics WebInspect suite)
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.
8. Suru Web Proxy
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body.
These "Fuzz control points" can be fuzzed with any value – and Suru includes some sample fuzz strings by default.
9. AppScan
AppScan scans and tests for all common web application vulnerabilities – including those identified in the WASC threat classification – such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.
10. ASP Auditor
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.
What are your favorite Web App testing tools ?
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize
it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.
2. WebScarab
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
3. Burp Intruder
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application vulnerabilities such as SQL injection, cross-site scripting, buffer
overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and
application-layer denial-of-service attacks.
4. Wapiti
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.
6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.
7. SPI Fuzzer (member of SPI Dynamics WebInspect suite)
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.
8. Suru Web Proxy
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body.
These "Fuzz control points" can be fuzzed with any value – and Suru includes some sample fuzz strings by default.
9. AppScan
AppScan scans and tests for all common web application vulnerabilities – including those identified in the WASC threat classification – such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.
10. ASP Auditor
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.
What are your favorite Web App testing tools ?
相关文章推荐
- 10+ Free Web Application Security Testing Tools
- Using the Web Service Callbacks in the .NET Application
- Servlet In Web Application
- XML, XSLT, Java, and JSP: A Case Study in Developing a Web Application
- Spring异常:Error creating bean with name 'sessionFactory' defined in ServletContext resource [/WEB-INF/classes/applicationContext.
- 5 advice for developing RIA and WEB application in Flex
- [Question]:Is there only one Servlet Inatance in each web application of web container
- 10 Tools to help you select a Web 2.0 Color Palette
- In .NET framework remoting and webservice two technologies understanding and practical application
- How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings
- Bind the WebApplicationContext in MockStrutsTestCase
- Top 10 Must Have Features in O/R Mapping Tools(转)
- Watin——Web Application Testing in .Net
- web application testing in ruby (1)
- Unable to start debugging on the web server. You do not have permission to debug the application. The URL for this project is in
- Using the Web Services and COM+ Event System in the .Net Application.
- How to Identify MDS user in intranet web application ?
- web application testing in dotnet (watin)
- Issue of weblogic [Servlet: "action" failed to preload on startup in Web application]
- Another way to retrieve a custom key's value from web.config in web form application