Free & Open Source security testing tools:
1. SkipFish – A fully automated, active web application security reconnaissance tool by Google. Get Details here .
2. Nikto – is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. Get Details here .
3. BFBTester is great for doing quick, proactive, security checks of binary programs. BFBTester will perform checks for single and multiple argument command line overflows and environment variable overflows. Get Details Here.
4. Netsparker – detect SQL Injection + cross-site scripting issues. Get Details Here.
5. Babel Enterprise – Babel evaluates compliance level of any security policy in a company, in order to help to achieve their goals, for instance, whether LOPD, ISO/IEC 27001:2005 policies are being accomplished. Get Details Here.
6. Paros – for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified. Get Details here.
7. Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but it will scan the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Download it here.
8. Burp Suite – is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Get Details Here.
9. Achillies – The first publicly released general-purpose web application security assessment tool. Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. Download it here .
10. Webstretch – Primarily used for security based penetration testing of web sites, it can also be used for debugging during development. Seen as part of a hacker toolkit. Download It here .
11. Spike – When you need to analyze a new network protocol for buffer overflows or similar weaknesses, the SPIKE is the tool of choice for professionals. While it requires a strong knowledge of C to use, it produces results second to none in the field. SPIKE is available for the Linux platform only. Download it Here.
13. Sqlninja – Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode) and many more. Download it here.
15. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Download and get more details here.
16. Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection. Download and get more details here.
17. Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. Download and get more details here. It has three addons
- XSS-Me: for testing reflected XSS vulnerabilities
- SQL Inject Me: for testing SQL injection vulnerabilities
- Access-Me: for testing access vulnerabilities.
18. Watcher is an Open source Web Security Testing Tool and PCI compliancy auditing utility is a runtime passive-analysis tool for HTTP-based Web applications. Download and get more details here.
19. SWF Intruder – SWFIntruder allows testers to easily analyze Flash applications by using the methodology researched by Stefano Di Paola, CTO and Director of Minded Security Research Labs, and presented in Testing Flash Applications and in Finding Vulnerabilities in Flash Applications. Download and get more details here.
20. WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. Download and get more details here.