Testing Tools Resource
Last updated
Last updated
This appendix is intended to provide a list of common tools that are used for web application testing. It does not aim to be a complete tool reference, and the inclusion of a tool here should not be seen as a specific endorsement of that tool by OWASP.
The list contains only tools that are freely available to download and use (although they may have licenses restricting their use for commercial activity).
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Burp Suite is an intercepting proxy for security testing. It allows intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom TLS certificates and non-proxy-aware clients.
Fiddler an intercepting web proxy that is primarily aimed at developers rather than penetration testers, but still provides useful functionality. It also hooks directly into the Windows HTTP APIs, allowing it to intercept traffic from some software that doesn't allow custom proxies to be set.
View HTTP headers of a page and while browsing.
Create multiple containers, each of which have their own isolated cookies and sessions. Useful for testing access control between different users.
Use Tamper Data to view and modify HTTP/HTTPS headers and post parameters
The Web Developer extension adds various web developer tools to the browser.
The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
Hash Crackers
Remote Brute Force
Browser Automation tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
A Java and JUnit based framework that uses the Apache HttpClient as the transport.
Very robust and configurable and is used as the engine for a number of other testing tools.
JavaScript based testing framework, cross-platform and provides a GUI for creating tests.