Security Testing 简明教程
Security Testing - Automation Tools
有各种工具可用于执行应用程序安全性测试。某些工具可以执行端到端安全性测试,而某些工具则专门用于检测系统中的特定类型缺陷。
There are various tools available to perform security testing of an application. There are few tools that can perform end-to-end security testing while some are dedicated to spot a particular type of flaw in the system.
Open Source Tools
某些开源安全性测试工具如下所示−
Some open source security testing tools are as given −
S.No. |
Tool Name |
1 |
Zed Attack Proxy Provides Automated Scanners and other tools for spotting security flaws. https://www.zaproxy.org/ |
2 |
OWASP WebScarab Developed in Java for Analysing Http and Https requests. https://www.owasp.org/index.php |
3 |
OWASP Mantra Supports multi-lingual security testing framework https://www.owasp.org/index.php/OWASP_Mantra-_Security_Framework |
4 |
Burp Proxy Tool for Intercepting & Modyfying traffic and works with work with custom SSL certificates. https://www.portswigger.net/Burp/ |
5 |
Firefox Tamper Data Use tamperdata to view and modify HTTP/HTTPS headers and post parameters |
6 |
Firefox Web Developer Tools The Web Developer extension adds various web developer tools to the browser. https://addons.mozilla.org/en-US/firefox |
7 |
Cookie Editor Lets user to add, delete, edit, search, protect and block cookies https://chrome.google.com/webstore |
Specific Tool Sets
以下工具有助于我们检测系统中的特定类型漏洞−
The following tools can help us spot a particular type of vulnerability in the system −
S.No. |
Link |
1 |
OWASP SQLiX − SQL Injection https://www.owasp.org/index.php |
2 |
Sqlninja − SQL Injection http://sqlninja.sourceforge.net/ |
3 |
SQLInjector − SQL Injection https://sourceforge.net/projects/safe3si/ |
4 |
sqlpowerinjector − SQL Injection http://www.sqlpowerinjector.com/ |
5 |
SSL Digger − Testing SSL https://www.mcafee.com/us/downloads/free-tools |
6 |
THC-Hydra − Brute Force Password https://www.kali.org/tools/hydra/ |
7 |
Brutus − Brute Force Password https://www.hackercoolmagazine.com/brutus-password-cracker-complete-guide/ |
8 |
Ncat − Brute Force Password https://nmap.org/ncat/ |
9 |
OllyDbg − Testing Buffer Overflow http://www.ollydbg.de/ |
10 |
Metasploit − Testing Buffer Overflow https://www.metasploit.com/ |
Commercial Black Box Testing tools
以下是一些商业的黑盒测试工具,它们有助于我们发现所开发的应用程序中的安全问题。
Here are some of the commercial black box testing tools that help us spot security issues in the applications that we develop.
S.No |
Tool |
1 |
NGSSQuirreL NGSSQuirreL Tool |
2 |
IBM AppScan https://www-01.ibm.com/software/awdtools/appscan/ |
3 |
Acunetix Web Vulnerability Scanner https://www.acunetix.com/ |
4 |
NTOSpider https://www.ntobjectives.com/products/ntospider.php |
5 |
SOAP UI https://www.soapui.org/Security/getting-started.html |
6 |
Netsparker https://www.mavitunasecurity.com/netsparker/ |
7 |
HP WebInspect http://www.hpenterprisesecurity.com/products |
Free Source Code Analyzers
S.No |
Tool |
1 |
OWASP Orizon https://www.owasp.org/index.php |
2 |
SearchDiggity https://www.bishopfox.com/resources/tools |
3 |
|
4 |
Splint http://splint.org/ |
5 |
|
6 |
|
7 |
FlawFinder https://www.dwheeler.com/flawfinder/ |
8 |
FindBugs http://findbugs.sourceforge.net/ |
Commercial Source Code Analyzers
这些分析器检查、检测和报告易受漏洞利用的源代码中的弱点 -
These analyzers examine, detect, and report the weaknesses in the source code, which are prone to vulnerabilities −
S.No |
Tool |
1 |
Parasoft C/C++ test https://www.parasoft.com/cpptest/ |
2 |
HP Fortify http://www.hpenterprisesecurity.com/products |
3 |
|
4 |
Veracode https://www.veracode.com |
5 |
Armorize CodeSecure http://www.armorize.com/codesecure/ |
6 |
GrammaTech https://www.grammatech.com/ |