2017Web安全工具传说中的神器汇总

一、测试地点/场地|Test sites / testing grounds（11条）
二、HTTP代理/编辑|HTTP proxying / editing（14条）
三、RSnake的XSS作弊工具，webapp静态分析和编码工具|RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools（25条）
四、HTTP通用测试/指纹识别|HTTP general testing / fingerprinting（20条）
五、基于浏览器的HTTP篡改/编辑/重播|Browser-based HTTP tampering / editing / replaying（8条）
六、Cookie编辑/中毒|Cookie editing / poisoning（6条）
七、Ajax和XHR扫描|Ajax and XHR scanning（13条）
八、RSS扩展和缓存|RSS extensions and caching（2条）
九、SQL注入扫描|SQL injection scanning（9条）
十、Web应用程序安全恶意软件，后门程序和恶意代码|Web application security malware, backdoors, and evil code（16条）
十一、帮助Web应用程序安全评估的Web应用程序服务|Web application services that aid in web application security assessment（10条）
十二、基于浏览器的安全静态分析/检查|Browser-based security fuzzing / checking（18条）
十三、PHP静态分析和文件包含扫描|PHP static analysis and file inclusion scanning（4条）
十四、PHP防御工具|PHP Defensive Tools（6条）
十五、Web应用防火墙（WAF）和入侵检测（APIDS）规则和资源|Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources（13条）
十六、Web服务枚举/扫描/静态分析|Web services enumeration / scanning / fuzzing（5条）
十七、Web应用程序非特定静态源代码分析|Web application non-specific static source-code analysis（6条）
十八、Web应用程序中C / C ++（CGI，ISAPI等）的静态分析|Static analysis for C/C++ (CGI, ISAPI, etc) in web applications（7条）
十九、Java静态分析，安全框架和Web应用程序安全工具|Java static analysis, security frameworks, and web application security tools（19条）
二十、Microsoft .NET静态分析和安全框架工具，主要用于ASP.NET和ASP.NET AJAX，还有C＃和VB.NET|Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET（4条）
二十一、威胁建模|Threat modeling（3条）
二十二、适用于Firefox的附加组件，有助于一般的Web应用程序安全|Add-ons for Firefox that help with general web application security（18条）
二十三、适用于Firefox的附加组件，可帮助使用Javascript和Ajax Web应用程序安全|Add-ons for Firefox that help with Javascript and Ajax web application security（8条）
二十四、有助于Web应用程序安全的书签|Bookmarklets that aid in web application security（6条）
二十五、SSL证书检查/扫描|SSL certificate checking / scanning（3条）
二十六、Honeyclients，Web应用程序和Web代理蜜罐|Honeyclients, Web Application, and Web Proxy honeypots（7条）
二十七、Blackhat SEO和也许一些白帽SEO|Blackhat SEO and maybe some whitehat SEO（3条）
二十八、Web应用程序安全性的脚印|Footprinting for web application security（13条）
二十九、数据库安全评估|Database security assessment（1条）
三十、浏览器防御|Browser Defenses（18条）
三十一、浏览器隐私|Browser Privacy（2条）
三十二、应用和协议静态分析（随机而不是目标）|Application and protocol fuzzing (random instead of targeted)（5条）

一、测试地点/场地|Test sites / testing grounds

SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) – http://crackme.cenzic.com/
Watchfire (live) – http://demo.testfire.net/
Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
Foundstone SASS tools – http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/

二、HTTP代理/编辑|HTTP proxying / editing

WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp – http://www.portswigger.net/
Paros – http://www.parosproxy.org/
Fiddler – http://www.fiddlertool.com/
Web Proxy Editor – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru – http://www.sensepost.com/research/suru/
httpedit (curses-based) – http://www.neutralbit.com/en/rd/httpedit/
Charles – http://www.xk72.com/charles/
Odysseus – http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools’/O’Reilly – http://examples.oreilly.com/networkst/
JS Commander – http://jscmd.rubyforge.org/
Ratproxy – http://code.google.com/p/ratproxy/

三、RSnake的XSS作弊工具，webapp静态分析和编码工具|RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools

Wfuzz – http://www.edge-security.com/wfuzz.php
ProxMon – http://www.isecpartners.com/proxmon.html
Wapiti – http://wapiti.sourceforge.net/
Grabber – http://rgaucher.info/beta/grabber/
XSSScan – http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe – http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz – http://sourceforge.net/projects/jbrofuzz
XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid’s XSS Assistant – http://www.whiteacid.org/greasemonkey/
Overlong UTF – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
screamingCobra – http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy – http://immunitysec.com/resources-freesoftware.shtml
RFuzz – http://rfuzz.rubyforge.org/
WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker – http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
WSTool – http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) – http://ussysadmin.com/whcc/
Web Text Converter – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) – https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) – http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743

四、HTTP通用测试/指纹识别|HTTP general testing / fingerprinting

Wbox: HTTP testing tool – http://hping.org/wbox/
ht://Check – http://htcheck.sourceforge.net/
Mumsie – http://www.lurhq.com/tools/mumsie.html
WebInject – http://www.webinject.org/
Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
Load-balancing detector – http://ge.mine.nu/lbd.html
HMAP – http://ujeni.murkyroc.com/hmap/
Net-Square: httprint – http://net-square.com/httprint/
Wpoison: http stress testing – http://wpoison.sourceforge.net/
Net-square: MSNPawn – http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker – http://www.wiretrip.net/rfp/lw.asp
Nikto – http://www.cirt.net/code/nikto.shtml
twill – http://twill.idyll.org/
DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project – http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled – http://sf.net/projects/hackfox

五、基于浏览器的HTTP篡改/编辑/重播|Browser-based HTTP tampering / editing / replaying

TamperIE – http://www.bayden.com/Other/
isr-form – http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/

六、Cookie编辑/中毒|Cookie editing / poisoning

[TGZ] stompy: session id tool – http://lcamtuf.coredump.cx/stompy.tgz
Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy – http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx

七、Ajax和XHR扫描|Ajax and XHR scanning

Sahi – http://sahi.co.in/
scRUBYt – http://scrubyt.org/
jQuery – http://jquery.com/
jquery-include – http://www.gnucitizen.org/projects/jquery-include
Sprajax – http://www.denimgroup.com/sprajax.html
Watir – http://wtr.rubyforge.org/
Watij – http://watij.com/
Watin – http://watin.sourceforge.net/
RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) – http://jasildbg.googlepages.com/
Firebug Lite – http://www.getfirebug.com/lite.html
firewaitr – http://code.google.com/p/firewatir/

八、RSS扩展和缓存|RSS extensions and caching

LiveLines (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache – http://www.dubfire.net/chris/projects/rss-cache/

九、SQL注入扫描|SQL injection scanning

0×90.org: home of Absinthe, Mezcal, etc – http://0×90.org/releases.php
SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat – http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap – http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer – http://www.sensepost.com/research/scully/
FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS – http://www.priamos-project.com/

十、Web应用程序安全恶意软件，后门程序和恶意代码|Web application security malware, backdoors, and evil code

W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
Jikto – http://busin3ss.name/jikto-in-the-wild/
XSS Shell – http://ferruh.mavituna.com/article/?1338
XSS-Proxy – http://xss-proxy.sourceforge.net
AttackAPI – http://www.gnucitizen.org/projects/attackapi/
FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog’s web-based junkyard – http://honeyblog.org/junkyard/web-based/
BeEF – http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) – http://www.gnucitizen.org/projects/fex/
What is my IP address? – http://reglos.de/myaddress/
xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval – http://www.gnucitizen.org/projects/greasecarnaval
Technika – http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet – http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects/

十一、帮助Web应用程序安全评估的Web应用程序服务|Web application services that aid in web application security assessment

Netcraft – http://www.netcraft.net
AboutURL – http://www.abouturl.com/
The Scrutinizer – http://www.scrutinizethis.com/
net.toolkit – http://clez.net/
ServerSniff – http://www.serversniff.net/
Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit – http://www.webmaster-toolkit.com/
myIPNeighbbors, et al – http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding – http://h4k.in/encoding
data: URL testcases – http://h4k.in/dataurl

十二、基于浏览器的安全静态分析/检查|Browser-based security fuzzing / checking

Zalewski’s MangleMe – http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan – http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider – http://labs.idefense.com
bcheck – http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo – http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn’s Black Dragon Project – http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0×000000.com/?i=324
About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285

十三、PHP静态分析和文件包含扫描|PHP static analysis and file inclusion scanning

PHP-SAT.org: Static analysis for PHP – http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs – http://unl0ck.net/tools.php
FIS: File Inclusion Scanner – http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit – http://developer.spikesource.com/projects/phpsecaudit

十四、PHP防御工具|PHP Defensive Tools

PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
PHP-Login-Info-Checker – Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip
php-DDOS-Shield – A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/
PHPMySpamFIGHTER – http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar

十五、Web应用防火墙（WAF）和入侵检测（APIDS）规则和资源|Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources

APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids – http://code.google.com/p/dotnetids/
Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
GotRoot: ModSecuirty rules – http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) – http://wsgw.sourceforge.net/
mod_security rules generator – http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight – http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense – http://akismet.com/
Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/

十六、Web服务枚举/扫描/静态分析|Web services enumeration / scanning / fuzzing

WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
Net-square: wsChess – http://net-square.com/wschess/index.shtml
WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool – http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html

十七、Web应用程序非特定静态源代码分析|Web application non-specific static source-code analysis

Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list – http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/

十八、Web应用程序中C / C ++（CGI，ISAPI等）的静态分析|Static analysis for C/C++ (CGI, ISAPI, etc) in web applications

RATS – http://www.securesoftware.com/resources/download_rats.html
ITS4 – http://www.cigital.com/its4/
FlawFinder – http://www.dwheeler.com/flawfinder/
Splint – http://www.splint.org/
Uno – http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) – http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind – http://www.valgrind.org/

十九、Java静态分析，安全框架和Web应用程序安全工具|Java static analysis, security frameworks, and web application security tools

LAPSE – http://suif.stanford.edu/~livshits/work/lapse/
HDIV Struts – http://hdiv.org/
Orizon – http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs – http://findbugs.sourceforge.net/
PMD – http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java – http://osl.cs.uiuc.edu/~ksen/cute/
EMMA – http://emma.sourceforge.net/
JLint – http://jlint.sourceforge.net/
Java PathFinder – http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code – http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle – http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework – http://sourceforge.net/projects/cookie-revolver
tinapoc – http://sourceforge.net/projects/tinapoc
jarsigner – http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex – http://solex.sourceforge.net/
Java Explorer – http://metal.hurlant.com/jexplore/
HTTPClient – http://www.innovation.ch/java/HTTPClient/
another HttpClient – http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java – http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html

二十、Microsoft .NET静态分析和安全框架工具，主要用于ASP.NET和ASP.NET AJAX，还有C＃和VB.NET|Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET

Visual Studio 2008 Code Analysis, available in:
VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
Visual Studio 2005 Code Analyzer, available in:
Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
Web Development Helper – http://www.nikhilk.net/Project.WebDevHelper.aspx
FxCop:
(blog) http://blogs.msdn.com/fxcop/
(download) http://code.msdn.microsoft.com/codeanalysis
Microsoft internal tools you can’t have yet:
http://www.microsoft.com/windows/cse/pa_projects.mspx
http://research.microsoft.com/Pex/
http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf
二十一、威胁建模|Threat modeling

Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) – http://www.amenaza.com/software.php
Octotrike – http://www.octotrike.org/

二十二、适用于Firefox的附加组件，有助于一般的Web应用程序安全|Add-ons for Firefox that help with general web application security

二十三、适用于Firefox的附加组件，可帮助使用Javascript和Ajax Web应用程序安全|Add-ons for Firefox that help with Javascript and Ajax web application security

Selenium IDE – http://www.openqa.org/selenium-ide/
Firebug – http://www.joehewitt.com/software/firebug/
Venkman – http://www.mozilla.org/projects/venkman/
Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey – http://www.greasespot.net/
Greasemonkey compiler – http://www.letitblog.com/greasemonkey-compiler/
User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/3885/

二十四、有助于Web应用程序安全的书签|Bookmarklets that aid in web application security

RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality – http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/

二十五、SSL证书检查/扫描|SSL certificate checking / scanning

[ZIP] THCSSLCheck – http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger – http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) – https://addons.mozilla.org/firefox/1964/

二十六、Honeyclients，Web应用程序和Web代理蜜罐|Honeyclients, Web Application, and Web Proxy honeypots

Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
Google Hack Honeypot – http://ghh.sourceforge.net/
PHP.Hop – PHP Honeynet Project – http://www.rstack.org/phphop/
SpyBye – http://www.monkey.org/~provos/spybye/
Honeytokens – http://www.securityfocus.com/infocus/1713

二十七、Blackhat SEO和也许一些白帽SEO|Blackhat SEO and maybe some whitehat SEO

SearchStatus (Firefox Add-on) – http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) – http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) – http://www.seoquake.com/

二十八、Web应用程序安全性的脚印|Footprinting for web application security

Evolution – http://www.paterva.com/evolution-e.html
GooSweep – http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools – http://www.sensepost.com/research/aura/
Edge-Security tools – http://www.edge-security.com/soft.php
Fierce Domain Scanner – http://ha.ckers.org/fierce/
Googlegath – http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) – https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) – https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) – http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1467/

二十九、数据库安全评估|Database security assessment

Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/

三十、浏览器防御|Browser Defenses

三十一、浏览器隐私|Browser Privacy

TrackMeNot (Firefox Add-on) – https://addons.mozilla.org/firefox/3173/
Privacy Bird – http://www.privacybird.com/

三十二、应用和协议静态分析（随机而不是目标）|Application and protocol fuzzing (random instead of targeted)

Sulley – http://fuzzing.org/
taof: The Art of Fuzzing – http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer – http://sam.zoy.org/zzuf/
autodafé: an act of software torture – http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System – http://www.appliedsec.com/resources.html

本文章部分内容来自互联网，版权归原作者所有,如不慎侵害到您的相关权益，请留言告知，我们将尽快处理，谢谢！（Part of the information in our website is from the internet.If by any chance it violates your rights,we will delete it upon notification as soon as possible.Thank you for cooperation.）

2017Web安全工具传说中的神器汇总

推荐阅读更多精彩内容