WebSleuth is a
manual research and exploration tool for web applications. It is not just one
application, it is a complete toolbox of applications that come together to let
you do some unique things. Sleuth focuses only on trying to give auditors the
tools they need to manually disassemble the web application by hand and to
efficiently test it in any manner they can conceive.
Platform:
Windows
Immunity, Inc.'s SPIKE proXy, part of the SPIKE Application Testing Suite, is a revolutionary way to ensure your web applications are secure. It functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems.
Platform: Windows / *NIX / Linux
Odysseus is a tool designed for testing the security of web applications. It is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission.
Platform: Windows
WebGoat is based on the concept of teaching a user a real world lesson and then asking the user to demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.
Platform: Windows / *NIX / Linux
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.
Platform: Windows / *NIX / Linux
HTTPush aims at providing an easy way to audit HTTP and HTTPS application/server security. It supports on-the-fly request modification, automated decision making and vulnerability detection through the use of plug-ins and full reporting capabilities.
Platform: *NIX / Linux
Curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.
Platform: Windows / *NIX / Linux / Solaris 2.x / Mac OS X / HP-UX