Anything related to websites

Paros proxy

A web application vulnerability assessment proxy java based web proxy for assessing web application vulnerability.


N-Stalker Web Application Security Scanner 2009 is a sophisticated Web Security Assessment solution developed by N-Stalker. By incorporating the well-known "N-Stealth HTTP Security Scanner" and its 39,000 Web Attack Signature database along with a patent-pending Component-oriented Web Application Security Assessment technology, N-Stalker is a "must have" security tool to developers, system/security administrators, IT auditors and staff.

If you are concerned about SQL injection and Cross-site scripting attacks, N-Stalker will sweep your Web Application for a large number of vulnerabilities, including well-known standards such as "OWASP Top 10" and "PCI Data Security", and also custom security inspections to ensure your application's Secure Development Life Cycle (SDLC).


Libwhisker is a Perl module geared specificly for HTTP testing.
Libwhisker has a few design principles:

- Portable: runs with 0 changes on Unix, Windows, etc (100% Perl)
- Flexible: designed with a 'no rules' approach
- Contained: designed to not require external modules when possible
- Localized: does not require installation to use


Have you ever wanted to host your own WEB server?, Mail server? FTP server?
XAMPP does all of this!

Many people know from their own experience that it's not easy to install an Apache web server and it gets harder if you want to add MySQL, PHP and Perl.

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use.

The distribution for Windows 2000, 2003, XP and Vista. This version contains: Apache, MySQL, PHP + PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, Ming, JpGraph, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB-DAV + mod_auth_mysql.

Other ports include:
Mac OS X

Mini MySqlat0r

Mini Mysqlat0r provides a graphical user interface for enumerating MySQL databases through SQL injection.

Mini Mysqlat0r is basically composed of 3 parts: Crawler, Injection Finder, Exploiter.

Acunetix Web Vulnerability Scanner (WVS)

Acunetix Web Vulnerability Scanner (WVS) is designed to audit web site security.

There is a free *nix based version as well as a Windows based version which ranges in price from a free trial to thousands of dollars.

// WVS contains a suite of tools designed to assist penetration testers in auditing web sites and also has the ability to output an easy to read summary for clients. What really sets this particular scanner apart from others is their proprietary AcuSensor Technology. By installing the AcuSensor Technology on the target system prior to scanning, one is able to decrease the number of false positives, identify more vulnerabilities, and accurately determine the vulnerable code. This works with closed source applications as well as open source. WVS will definitely work without AcuSensor, but, it is incredibly more accurate when this module is properly deployed on the target system.

// Composition of Acunetix Web Vulnerability Scanner:
Site Crawler - used to map a web site by following links and gathering information in a similar fashion to search engine web crawlers.
Target Finder - used to identify http/https servers from a given IP range.
Domain Scanner - used to enumerate additional sub-domains for use as potential targets.
Blind SQL Injector - automates the process of extracting database information through SQL injection.
HTTP Editor - for constructing custom HTTP/HTTPS requests in order to analyze responses.
HTTP Sniffer - HTTP proxy that allows logging, intercepting, and modifying HTTP/HTTPS traffic on the fly.
HTTP Fuzzer - allows fuzzing of request parameters or headers. Useful for determining buffer overflows or input validation errors.


Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility.
Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.


HP WebInspect performs web application security testing and assessment for today's complex web applications, built on emerging Web 2.0 technologies. HP WebInspect delivers fast scanning capabilities, broad security assessment coverage and accurate web application security scanning results.

HP WebInspect identifies security vulnerabilities that are undetectable by traditional scanners. With innovative assessment technology, such as simultaneous crawl and audit (SCA) and concurrent application scanning, you get fast and accurate automated web application security testing and web services security testing.

YAPH - Yet Another Proxy Hunter

YAPH is a proxy hunter for the Unix platform. It allows to find public access proxy servers on the Internet and to validate proxy lists. YAPH reveals SOCK4, SOCKS5, and HTTP (CONNECT method) proxies. HTTP proxies are tested for CONNECT method only, since only this method provides ability to tunnel TCP through HTTP proxy. YAPH utilizes the power of Nmap, a network mapper written by Fyodor. Nmap provides to YAPH the capability to find new undiscovered public proxy servers on the Internet.


Sqlmap is awesome, that's all you need to know.

It will basically check a website and try or allow you to inject sql query's into the sites backend database.
If successful you could use it to dump all information in said name database that you are looking at.
This can include but is not limited to: usernames, passwords, email addresses, customer information, etc.. etc...
Sqlmap is also able to be used or integrated with a variety of other applications and attacks such as using it in combination with metasploit and possibly even nikto or nmap would yield great results. =]

FYI... this really great when they happen to be running an ldap server and the usernames are not just for logging into a web application or the database to alter files but are actually for the system itself!

Syndicate content