Reference: http://www.proactiverisk.com/tools/

DISCLAIMER

The following list of URL’s are a collection of resources broken down by category. The resources are listed numerically in no particular order except for tracking purposes

Breach Laws

  1. State Breach Laws

Hardening Guides

Windows:

  1. CIS Security Benchmarks for Windows
  2. NSA Security Configuration Guides for Windows
  3. Microsoft Baseline Security Analyzer
  4. Microsoft PC Security
  5. Secunia Personal Software Inspector

Mac OS:

  1. CIS Security Benchmarks for Mac OS X
  2. NSA Security Configuration Guides for Apple Mac
  3. Mac OS X Security Configuration Guides
  4. SecureMac

Mobile:

  1. CIS Security Benchmarks for Google Android
  2. CIS Security Benchmarks for Apple iOS
  3. iOS Security [PDF]
  4. iPad Security [PDF]
  5. Mobile Device Security (from University of Notre Dame OIT Help)

Linux:

  1. CIS Security Benchmarks for Linux
  2. NSA Security Configuration Guides for Linux
  3. Ubuntu Security Resource

Other Unix:

  1. CIS Security Benchmarks for Unix
  2. NSA Security Configuration Guides for Sun Solaris
  3. FreeBSD Security and Hardening Guide

Database Servers:

  1. CIS Security Benchmarks for Databases
  2. NSA Security Configuration Guides for Database Servers
  3. Database Hardening Guidelines

Web Servers:

  1. CIS Security Benchmarks for Web Servers
  2. Securing PHP

Event Log Monitoring

  1. Spotting the Adversary

Web Application Security Tools

SQL injection scanning

  1. SQL Injection cheat sheet – http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
  2. 0x90.org: home of Absinthe, Mezcal, etc – http://0x90.org/releases.php
  3. SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
  4. sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
  5. JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
  6. sqlmap – http://sqlmap.sourceforge.net/
  7. Scully: SQL Server DB Front-End and Brute-Forcer – http://www.sensepost.com/research/scully/
  8. FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
  9. PRIAMOS – http://www.priamos-project.com/

Web application security malware, backdoors, and evil code

  1. W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
  2. BeEF – http://www.bindshell.net/tools/beef/
  3. Jikto – http://busin3ss.name/jikto-in-the-wild/
  4. XSS-Proxy – http://xss-proxy.sourceforge.net
  5. AttackAPI – http://www.gnucitizen.org/projects/attackapi/
  6. FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
  7. Firefox Extension Scanner (FEX) – http://www.gnucitizen.org/projects/fex/
  8. What is my IP address? – http://reglos.de/myaddress/
  9. xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
  10. SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
  11. Greasecarnaval – http://www.gnucitizen.org/projects/greasecarnaval
  12. Technika – http://www.gnucitizen.org/projects/technika/
  13. Load-AttackAPI bookmarklet – http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
  14. MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects Payload – http://code.google.com/p/xcampo

HTTP proxying / editing

  1. OWASP ZAP Proxy – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  2. WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
  3. Burp – http://www.portswigger.net/
  4. Paros – http://www.parosproxy.org/
  5. Fiddler – http://www.fiddlertool.com/
  6. Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
  7. Suru – http://www.sensepost.com/research/suru/
  8. Charles – http://www.xk72.com/charles/
  9. Odysseus – http://www.bindshell.net/tools/odysseus
  10. Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
  11. JS Commander – http://jscmd.rubyforge.org/
  12. Ratproxy – http://code.google.com/p/ratproxy/

XSS cheat sheet based-tools, webapp fuzzing, and encoding tools

  1. Freaking Simple Fuzzer – http://code.google.com/p/fm-fsf/
  2. Wfuzz – http://www.edge-security.com/wfuzz.php
  3. ProxMon – http://www.isecpartners.com/proxmon.html
  4. Wapiti – http://wapiti.sourceforge.net/
  5. Grabber – http://rgaucher.info/beta/grabber/
  6. CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
  7. JBroFuzz – http://sourceforge.net/projects/jbrofuzz
  8. XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
  9. [TGZ] MielieTool – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
  10. RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
  11. screamingCobra – http://www.dachb0den.com/projects/screamingcobra.html
  12. SPIKE and SPIKE Proxy – http://immunitysec.com/resources-freesoftware.shtml
  13. RFuzz – http://rfuzz.rubyforge.org/
  14. WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
  15. ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
  16. WSTool – http://wstool.sourceforge.net/
  17. Web Text Converter – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
  18. HackBar (Firefox Add-on) – https://addons.mozilla.org/firefox/3899/
  19. Net-Force Tools (NF-Tools, Firefox Add-on) – http://www.net-force.nl/library/downloads/
  20. PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743

HTTP general testing / fingerprinting

  1. Wbox: HTTP testing tool – http://hping.org/wbox/
  2. ht://Check – http://htcheck.sourceforge.net/
  3. WebInject – http://www.webinject.org/
  4. Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
  5. JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
  6. OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
  7. Load-balancing detector – http://ge.mine.nu/lbd.html
  8. HMAP – http://ujeni.murkyroc.com/hmap/
  9. Net-Square: httprint – http://net-square.com/httprint/
  10. Wpoison: http stress testing – http://wpoison.sourceforge.net/
  11. Net-square: MSNPawn – http://net-square.com/msnpawn/index.shtml
  12. hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
  13. rfp.labs: LibWhisker – http://www.wiretrip.net/rfp/lw.asp
  14. Nikto – http://www.cirt.net/code/nikto.shtml
  15. Websecurify – http://www.websecurify.com
  16. twill – http://twill.idyll.org/
  17. DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
  18. [ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
  19. HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled – http://sf.net/projects/hackfox
  20. Browser-based HTTP tampering / editing / replaying
  21. TamperIE – http://www.bayden.com/Other/
  22. isr-form – http://www.infobyte.com.ar/developments.html
  23. Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
  24. Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
  25. UrlParams (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1290/
  26. TestGen4Web (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1385/
  27. DOM Inspector / Inspect This (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
  28. LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/


Cookie editing / poisoning

  1. [TGZ] stompy: session id tool – http://lcamtuf.coredump.cx/stompy.tgz
  2. Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
  3. CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
  4. CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
  5. CookieSpy – http://www.codeproject.com/shell/cookiespy.asp
  6. Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx

Ajax and XHR scanning

  1. Sahi – http://sahi.co.in/
  2. scRUBYt – http://scrubyt.org/
  3. jQuery – http://jquery.com/
  4. Sprajax – http://www.denimgroup.com/sprajax.html
  5. Watir – http://wtr.rubyforge.org/
  6. Watij – http://watij.com/
  7. Watin – http://watin.sourceforge.net/
  8. RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
  9. SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
  10. Javascript Inline Debugger (jasildbg) – http://www.elhacker.net/jasildbg/
  11. Firebug Lite – http://www.getfirebug.com/lite.html
  12. firewaitr – http://code.google.com/p/firewatir/

RSS extensions and caching

  1. LiveLines (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/324/
  2. rss-cache – http://www.dubfire.net/chris/projects/rss-cache/
  3. Web application services that aid in web application security assessment
  4. Netcraft – http://www.netcraft.net
  5. AboutURL – http://www.abouturl.com/
  6. The Scrutinizer – http://www.scrutinizethis.com/
  7. net.toolkit – http://clez.net/
  8. ServerSniff – http://www.serversniff.net/
  9. Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
  10. Webmaster-Toolkit – http://www.webmaster-toolkit.com/
  11. myIPNeighbbors, et al – http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
  12. data: URL testcases – http://h4k.in/dataurl
  13. LinkChecker – http://validator.w3.org/checklink

Browser-based security fuzzing / checking

  1. Zalewski’s MangleMe – http://lcamtuf.coredump.cx/mangleme/mangle.cgi
  2. hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan – http://metasploit.com/users/hdm/tools/
  3. Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
  4. TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
  5. PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
  6. COMRaider – http://labs.idefense.com
  7. bcheck – http://bcheck.scanit.be/bcheck/
  8. Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
  9. LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
  10. BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
  11. Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
  12. Stealing information using DNS pinning demo – http://www.jumperz.net/index.php?i=2&a=1&b=7
  13. Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
  14. Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
  15. Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
  16. Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0x000000.com/?i=324
  17. About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
  18. Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
  19. WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285
  20. PHP static analysis and file inclusion scanning
  21. PHP-SAT.org: Static analysis for PHP – http://www.program-transformation.org/PHP/
  22. Unl0ck Research Team: tool for searching in google for include bugs – http://unl0ck.net/tools.php
  23. FIS: File Inclusion Scanner – http://www.segfault.gr/index.php?cat_id=3&cont_id=25
  24. PHPSecAudit – http://developer.spikesource.com/projects/phpsecaudit

PHP Defensive Tools

  1. PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/
  2. A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
  3. Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
  4. PHPMySpamFIGHTER – http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar
  5. Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
  6. APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
  7. PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/ http://code.google.com/p/phpids/
  8. dotnetids – http://code.google.com/p/dotnetids/
  9. Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
  10. Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
  11. Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
  12. [TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
  13. AQTRONIX WebKnight – http://www.aqtronix.com/?PageID=99
  14. Akismet: blog spam defense – http://akismet.com/
  15. Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/

Web services enumeration / scanning / fuzzing

  1. WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
  2. Net-square: wsChess – http://net-square.com/wschess/index.shtml
  3. WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
  4. iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html

Web application non-specific static source-code analysis

  1. Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
  2. Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
  3. Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
  4. An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
  5. A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
  6. A smaller, but also good list – http://spinroot.com/static/
  7. Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications

  1. RATS – http://www.securesoftware.com/resources/download_rats.html
  2. ITS4 – http://www.cigital.com/its4/
  3. FlawFinder – http://www.dwheeler.com/flawfinder/
  4. Splint – http://www.splint.org/
  5. Uno – http://spinroot.com/uno/
  6. BOON (Buffer Overrun detectiON) – http://www.cs.berkeley.edu/~daw/boon/
  7. Valgrind – http://www.valgrind.org/

Java static analysis, security frameworks, and web application security tools

  1. LAPSE – http://suif.stanford.edu/~livshits/work/lapse/
  2. HDIV Struts – http://hdiv.org/
  3. Orizon – http://sourceforge.net/projects/orizon/
  4. FindBugs: Find bugs in Java programs – http://findbugs.sourceforge.net/
  5. PMD – http://pmd.sourceforge.net/
  6. CUTE: A Concolic Unit Testing Engine for C and Java – http://osl.cs.uiuc.edu/~ksen/cute/
  7. EMMA – http://emma.sourceforge.net/
  8. JLint – http://jlint.sourceforge.net/
  9. Java PathFinder – http://javapathfinder.sourceforge.net/
  10. Fujaba: Move between UML and Java source code – http://wwwcs.uni-paderborn.de/cs/fujaba/
  11. Checkstyle – http://checkstyle.sourceforge.net/
  12. Cookie Revolver Security Framework – http://sourceforge.net/projects/cookie-revolver
  13. tinapoc – http://sourceforge.net/projects/tinapoc
  14. jarsigner – http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
  15. Solex – http://solex.sourceforge.net/
  16. Java Explorer – http://metal.hurlant.com/jexplore/
  17. HTTPClient – http://www.innovation.ch/java/HTTPClient/
  18. another HttpClient – http://jakarta.apache.org/commons/httpclient/
  19. a list of code coverage and analysis tools for Java – http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
  20. Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
  21. Visual Studio 2008 Code Analysis, available in:
  22. VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
  23. VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
  24. Visual Studio 2005 Code Analyzer, available in:
  25. Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
  26. Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)

Threat modeling

  1. Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
  2. Amenaza: Attack Tree Modeling (SecurITree) – http://www.amenaza.com/software.php
  3. Octotrike – http://www.octotrike.org/

Add-ons for Firefox that help with general web application security

  1. Web Developer Toolbar – https://addons.mozilla.org/firefox/60/
  2. Plain Old Webserver (POW) – https://addons.mozilla.org/firefox/3002/
  3. XML Developer Toolbar – https://addons.mozilla.org/firefox/2897/
  4. Public Fox – https://addons.mozilla.org/firefox/3911/
  5. XForms Buddy – http://beaufour.dk/index.php?sec=misc&pagename=xforms
  6. MR Tech Local Install – http://www.mrtech.com/extensions/local_install/
  7. IE Tab – https://addons.mozilla.org/firefox/1419/
  8. User-Agent Switcher – https://addons.mozilla.org/firefox/59/
  9. ServerSwitcher – https://addons.mozilla.org/firefox/2409/
  10. HeaderMonitor – https://addons.mozilla.org/firefox/575/
  11. RefControl – https://addons.mozilla.org/firefox/953/
  12. refspoof – https://addons.mozilla.org/firefox/667/
  13. No-Referrer – https://addons.mozilla.org/firefox/1999/
  14. LocationBar^2 – https://addons.mozilla.org/firefox/4014/
  15. SpiderZilla – http://spiderzilla.mozdev.org/
  16. Slogger – https://addons.mozilla.org/en-US/firefox/addon/143
  17. Fire Encrypter – https://addons.mozilla.org/firefox/3208/

Add-ons for Firefox that help with Javascript and Ajax web application security

  1. Selenium IDE – http://www.openqa.org/selenium-ide/
  2. Firebug – http://www.joehewitt.com/software/firebug/
  3. Venkman – http://www.mozilla.org/projects/venkman/
  4. Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
  5. Greasemonkey – http://www.greasespot.net/
  6. User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
  7. Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
  8. Smart Middle Click (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/3885/

SSL certificate checking / scanning

  1. SSL Labs – https://www.ssllabs.com/ssldb/
  2. [ZIP] Foundstone SSLDigger – http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
  3. Cert Viewer Plus (Firefox Add-on) – https://addons.mozilla.org/firefox/1964/

Honeyclients, Web Application, and Web Proxy honeypots

  1. Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
  2. HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
  3. Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
  4. Google Hack Honeypot – http://ghh.sourceforge.net/
  5. PHP.Hop – PHP Honeynet Project – http://www.rstack.org/phphop/
  6. SpyBye – http://www.monkey.org/~provos/spybye/
  7. Honeytokens – http://www.securityfocus.com/infocus/1713

Blackhat SEO and maybe some whitehat SEO

  1. SearchStatus (Firefox Add-on) – http://www.quirk.biz/searchstatus/
  2. SEO for Firefox (Firefox Add-on) – http://tools.seobook.com/firefox/seo-for-firefox.html
  3. SEOQuake (Firefox Add-on) – http://www.seoquake.com/
  4. Analytics seo – http://www.analyticsseo.com/

Footprinting for web application security

  1. Evolution – http://www.paterva.com/evolution-e.html
  2. GooSweep – http://www.mcgrewsecurity.com/projects/goosweep/
  3. Edge-Security tools – http://www.edge-security.com/soft.php
  4. Fierce Domain Scanner – http://ha.ckers.org/fierce/
  5. Googlegath – http://www.nothink.org/perl/googlegath/
  6. Advanced Dork (Firefox Add-on) – https://addons.mozilla.org/firefox/2144/
  7. Passive Cache (Firefox Add-on) – https://addons.mozilla.org/firefox/977/
  8. CacheOut! (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1453/
  9. BugMeNot Extension (Firefox Add-on) – http://roachfiend.com/archives/2005/02/07/bugmenot/
  10. TrashMail.net Extension (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1813/
  11. DiggiDig (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2819/
  12. Digger (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1467/
  13. Remote Port Scanner – http://www.t1shopper.com/tools/port-scan/#

Database security assessment

  1. Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/
  2. https://www.imperva.com/lg/lgw_trial.asp?pid=213 <— Scuba Free Download

Browser Defenses

  1. DieHard – http://www.diehard-software.org/
  2. LocalRodeo (Firefox Add-on) – http://databasement.net/labs/localrodeo/
  3. NoMoXSS – http://www.seclab.tuwien.ac.at/projects/jstaint/
  4. Request Rodeo – http://savannah.nongnu.org/projects/requestrodeo
  5. FlashBlock (Firefox Add-on) – http://flashblock.mozdev.org/
  6. CookieSafe (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2497
  7. NoScript (Firefox Add-on) – http://www.noscript.net/
  8. FormFox (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1579/
  9. Adblock (Firefox Add-on) – http://adblock.mozdev.org/
  10. httpOnly in Firefox (Firefox Add-on) – http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
  11. SafeCache (Firefox Add-on) – http://www.safecache.com/
  12. SafeHistory (Firefox Add-on) – http://www.safehistory.com/
  13. PrefBar (Firefox Add-on) – http://prefbar.mozdev.org/
  14. All-in-One Sidebar (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1027/
  15. QArchive.org web file checker (Firefox Add-on) – https://addons.mozilla.org/firefox/4115/
  16. Update Notified (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2098/
  17. FireKeeper – http://firekeeper.mozdev.org/
  18. Greasemonkey: XSS Malware Script Detector – http://yehg.net/lab/#tools.greasemonkey

Browser Privacy

Application and protocol fuzzing (random instead of targeted)

  1. Sulley – http://fuzzing.org/
  2. taof: The Art of Fuzzing – http://sourceforge.net/projects/taof/
  3. zzuf: multipurpose fuzzer – http://sam.zoy.org/zzuf/
  4. autodafé: an act of software torture – http://autodafe.sourceforge.net/

LiveCDs

  1. OWASP LiveCD – http://www.appseclive.org / http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
  2. BackTrack – http://www.backtrack-linux.org DVL (Damn Vulnerable Linux) – http://www.damnvulnerablelinux.org

Test sites / testing grounds

  1. SPI Dynamics (live) – http://zero.webappsecurity.com/
  2. Cenzic (live) – http://crackme.cenzic.com/
  3. Watchfire (live) – http://demo.testfire.net/
  4. Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
  5. WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
  6. Foundstone SASS tools – http://www.foundstone.com/us/resources-free-tools.asp
  7. Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
  8. OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
  9. OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
  10. Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
  11. SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
  12. Google’s web application training – http://jarlsberg.appspot.com/part1/ 

Guides / Videos

  1. OWASP Testing Guide – http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
  1. Security Tube – http://securitytube.net
  2. OWASP Events Recorded – http://www.owasp.org/index.php/Category:OWASP_Video
  3. Cyber Protect – http://iase.disa.mil/eta/cyber-protect/launchcontent.html 

Other Resources to investigate

  1. Packet Storm Security (http://www.packetstormsecurity.com)
  2. milw0rm (http://www.milw0rm.com)
  3. Hack Zone (http://www.hackzone.ru)
  4. Secunia (http://www.secunia.com)
  5. Security Reason (http://www.securityreason.com)
  6. MITRE Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org)
  7. Open Source Vulnerability Database (OSVDB) (http://www.osvdb.org)
  8. China Information Technology Security Evalutaion Center (http://www.itsec.gov.cn)
  9. F-Secure (http://www.f-secure.com)
  10. Security Lab (http://www.securitylab.ru)
  11. Vitter Security Team (http://www.vfocus.net)
  12. Brunei Computer Emergency Response Team (BruCERT) (http://www.brucert.org.bn)
  13. VUPEN Security (http://www.vupen.com)
  14. Juniper Networks (http://www.juniper.net)
  15. Security Tracker (http://securitytracker.com)
  16. SEBUG Security Vulnerability Information Database (http://www.sebug.net)
  17. Beyond Security (http://www.beyondsecurity.com)
  18. SecuriTeam (http://www.securiteam.com)
  19. eEye Digital Security (http://www.eeye.com)
  20. VirusBlokAda (http://www.anti-virus.by)
  21. Bug Search (http://www.bugsearch.net)
  22. Apple Product Security Team (http://www.apple.com)
  23. Red Oracle (http://www.redoracle.com)
  24. Help Net Security (http://www.net-security.org)
  25. Venus (http://www.venustech.com.cn)
  26. Offensive Security Exploit Database (http://www.exploit-db.com)
  27. Brno University Security Laboratory (BUSLab) (http://www.buslab.org)
  28. GSO Management Government Security (http://www.governmentsecurity.org)
  29. ASTALAVISTA Group (http://www.astalavista.com)
  30. Shell Storm (http://www.shell-storm.org)
  31. Has your account already been compromised check this FREE service https://haveibeenpwned.com/
  32. Looking for those hard to find physical “hacker tools” for Santa Claus check out http://hackerwarehouse.com/ 

Standards

  1. FFIEC http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm
  2. NIST Framework for Improving Critical Infrastructure Cybersecurity – whitepaper
  3. OWASP Testing Guide http://www.owasp.org/index.php/Testing_Checklist
  4. Food and Drug Administrator http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf 

Metrics 

  1. Bunch of xss zero-day’s – http://xssed.com
  2. Web Hacking Incident Database – https://wasc-whid.dabbledb.com/publish/wasc-whid
  3. Latest Breaches – http://www.datalossdb.org (reported)
  4. Security Database – http://www.security-database.com/dashboard.php

Quick Checks 

  1. Check your headers for security concerns https://cyh.herokuapp.com/cyh & https://securityheaders.com/ 

Social Media

  1. Remove yourself from OSINT this was a great article http://www.computerworld.com/article/2849263/doxxing-defense-remove-your-personal-info-from-data-brokers.html 

 

Leave a Reply

Your email address will not be published.