很多,非常多。
Test sites / testing grounds
HTTP proxying / editing
RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
HTTP general testing / fingerprinting
Browser-based HTTP tampering / editing / replaying
Cookie editing / poisoning
Ajax and XHR scanning
RSS extensions and caching
SQL injection scanning
Web application security malware, backdoors, and evil code
Web application services that aid in web application security assessment
Browser-based security fuzzing / checking
PHP static analysis and file inclusion scanning
PHP Defensive Tools
PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey
Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
PHP-Login-Info-Checker – Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
Web services enumeration / scanning / fuzzing
Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list – http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
Java static analysis, security frameworks, and web application security tools
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Threat modeling
Add-ons for Firefox that help with general web application security
Add-ons for Firefox that help with Javascript and Ajax web application security
Bookmarklets that aid in web application security
RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality – http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/
SSL certificate checking / scanning
Honeyclients, Web Application, and Web Proxy honeypots
Blackhat SEO and maybe some whitehat SEO
Footprinting for web application security
Database security assessment
Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/
Browser Defenses
Browser Privacy
Application and protocol fuzzing (random instead of targeted)