반응형

Phoenix/Tools

From OWASP

Jump to: navigation, search

Please send comments or questions to the Phoenix-OWASP mailing-list.

LiveCDs
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/

Test sites / testing grounds
SPI Dynamics (live) - http://zero.webappsecurity.com/
Cenzic (live) - http://crackme.cenzic.com/
Watchfire (live) - http://demo.testfire.net/
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/

HTTP proxying / editing
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/

RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz - http://www.edge-security.com/wfuzz.php
ProxMon - http://www.isecpartners.com/proxmon.html
Wapiti - http://wapiti.sourceforge.net/
Grabber - http://rgaucher.info/beta/grabber/
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://sourceforge.net/projects/jbrofuzz
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression! filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression!-filter
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml
RFuzz - http://rfuzz.rubyforge.org/
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/
WSTool - http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743

HTTP general testing / fingerprinting
Wbox: HTTP testing tool - http://hping.org/wbox/
ht://Check - http://htcheck.sourceforge.net/
Mumsie - http://www.lurhq.com/tools/mumsie.html
WebInject - http://www.webinject.org/
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp
Nikto - http://www.cirt.net/code/nikto.shtml
twill - http://twill.idyll.org/
DirBuster - http://www.sittinglittleduck.com/DirBuster/
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html

Browser-based HTTP tampering / editing / replaying
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/

Cookie editing / poisoning
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx

Ajax and XHR scanning
Sahi - http://sahi.co.in/
scRUBYt - http://scrubyt.org/
jQuery - http://jquery.com/
jquery-include - http://www.gnucitizen.org/projects/jquery-include
Sprajax - http://www.denimgroup.com/sprajax.html
Watir - http://wtr.rubyforge.org/
Watij - http://watij.com/
Watin - http://watin.sourceforge.net/
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
xxJavascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/
Firebug Lite - http://www.getfirebug.com/lite.html
firewaitr - http://code.google.com/p/firewatir/

RSS extensions and caching
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/

SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS - http://www.priamos-project.com/

Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Jikto - http://busin3ss.name/jikto-in-the-wild/
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
Technika - http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/

Web application services that aid in web application security assessment
Netcraft - http://www.netcraft.net
AboutURL - http://www.abouturl.com/
The Scrutinizer - http://www.scrutinizethis.com/
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding - http://h4k.in/encoding
data: URL testcases - http://h4k.in/dataurl

Browser-based security fuzzing / checking
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider - http://labs.idefense.com
bcheck - http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
xxJavascript Website Login Checker - http://ha.ckers.org/weird/xxjavascript-website-login-checker.html
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1

PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit

Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids - http://code.google.com/p/dotnetids/
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense - http://akismet.com/
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/

Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c
Net-square: wsChess - http://net-square.com/wschess/index.shtml
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html

Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list - http://spinroot.com/static/

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS - http://www.securesoftware.com/resources/download_rats.html
ITS4 - http://www.cigital.com/its4/
FlawFinder - http://www.dwheeler.com/flawfinder/
Splint - http://www.splint.org/
Uno - http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind - http://www.valgrind.org/

Java static analysis, security frameworks, and web application security tools
HDIV Struts - http://hdiv.org/
Orizon - http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/
PMD - http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/
EMMA - http://emma.sourceforge.net/
JLint - http://jlint.sourceforge.net/
Java PathFinder - http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle - http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver
tinapoc - http://sourceforge.net/projects/tinapoc
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex - http://solex.sourceforge.net/
Java Explorer - http://metal.hurlant.com/jexplore/
HTTPClient - http://www.innovation.ch/java/HTTPClient/
another HttpClient - http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html

Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf

Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php
Octotrike - http://www.octotrike.org/

Add-ons for Firefox that help with general web application security
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/
Public Fox - https://addons.mozilla.org/firefox/3911/
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab - https://addons.mozilla.org/firefox/1419/
User-Agent Switcher - https://addons.mozilla.org/firefox/59/
ServerSwitcher - https://addons.mozilla.org/firefox/2409/
HeaderMonitor - https://addons.mozilla.org/firefox/575/
RefControl - https://addons.mozilla.org/firefox/953/
refspoof - https://addons.mozilla.org/firefox/667/
No-Referrer - https://addons.mozilla.org/firefox/1999/
LocationBar^2 - https://addons.mozilla.org/firefox/4014/
SpiderZilla - http://spiderzilla.mozdev.org/
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter - https://addons.mozilla.org/firefox/3208/

Add-ons for Firefox that help with xxJavascript and Ajax web application security
Selenium IDE - http://www.openqa.org/selenium-ide/
Firebug - http://www.joehewitt.com/software/firebug/
Venkman - http://www.mozilla.org/projects/venkman/
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey - http://www.greasespot.net/
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/

Bookmarklets that aid in web application security
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html
BMlets - http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of xxJavascript to provide rich functionality - http://www.blummy.com/
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/

SSL certificate checking / scanning
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/

Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/
Google Hack Honeypot - http://ghh.sourceforge.net/
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/
SpyBye - http://www.monkey.org/~provos/spybye/
Honeytokens - http://www.securityfocus.com/infocus/1713

Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) - http://www.seoquake.com/

Footprinting for web application security
Evolution - http://www.paterva.com/evolution-e.html
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/
Edge-Security tools - http://www.edge-security.com/soft.php
Fierce Domain Scanner - http://ha.ckers.org/fierce/
Googlegath - http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/

Database security assessment
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/

Browser Defenses
DieHard - http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) - http://www.noscript.net/
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/
Adblock (Firefox Add-on) - http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) - http://www.safecache.com/
SafeHistory (Firefox Add-on) - http://www.safehistory.com/
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper - http://firekeeper.mozdev.org/

Browser Privacy
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/
Privacy Bird - http://www.privacybird.com/

Application and protocol fuzzing (random instead of targeted)
Sulley - http://fuzzing.org/
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/
autodafe: an act of software torture - http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html


반응형

개발 도구

  1. Eclipse : http://www.eclipse.org/
  2. Netbean : http://www.netbeans.org/community/releases/60/index.html
  3. Firebug : http://www.getfirebug.com/

소스코드 관리

  1. CVS : http://www.cvshome.org
  2. Subversion : http://subversion.tigris.org
  3. MS Visual SourceSafe
  4. BitKeeper : http://www.bitkeeper.com
  5. ClearCase : http://www-306.ibm.com/software/awdtools/clearcase/

빌드 스크립트 도구

  1. make : http://source.redhat.com/cygwin
  2. Automake : http://www.gnu.org/software/automake
  3. Ant : http://ant.apache.org
  4. NAnt : http://nant.sourceforge.net
  5. Groovy : http://groovy.codehaus.org
  6. Rake : http://rake.rubyforge.org/  
  7. SCons : http://www.scons.org/

빌드 시스템

  1. Mavenhttp://maven.apache.org 
  2. Maven2 : http://maven.apache.org/maven2/index.html

CI 도구 (Continuous integration )

  1. CruiseControl : http://cruisecontrol.sourceforge.net
  2. CruiseControl .NET : http://sourceforge.net/projects/ccnet
  3. DamageControl : http://damagecontrol.codehaus.org
  4. AntHill : http://www.urbancode.com/projects/anthill
  5. Continuum : http://maven.apache.org/continuum
  6. LuntBuild : http://luntbuild.javaforge.com/  
  7. Buildix : http://buildix.thoughtworks.com/  
  8. Hudson : https://hudson.dev.java.net/  (직관적이고 사용법이 쉬움)

이슈 추적 도구

  1. Bugzilla : http://www.bugzilla.org
  2. JIRA : http://www.atlassian.com/software/jira/default.jsp
  3. FogBugz : http://www.fogcreek.com/FogBugz
  4. PR-Tracker : http://www.prtracker.com  
  5. Trac : http://trac.edgewall.org/

테스트 프레임워크

  1. JUnit : http://www.junit.org
  2. NUnit : http://www.nunit.org
  3. xUnit.NET : http://www.codeplex.com/xunit
  4. MbUnit : http://www.mbunit.org
  5. HTMLUnit : http://htmlunit.sourceforge.net
  6. HTTPUnit : http://httpunit.sourceforge.net
  7. JWebUnit : http://jwebunit.sourceforge.net
  8. Cobertura : http://cobertura.sourceforge.net
  9. Clover : http://www.cenqua.com/clover  
  10. Cactus : http://jakarta.apache.org/cactus/
  11. Emma : http://emma.sourceforge.net/
  12. Fit : http://fit.c2.com
  13. Fitness : http://fitnesse.org  
  14. Watir : http://wtr.rubyforge.org
  15. Systir : http://atomicobject.com/systir.page
  16. AUT : http://aut.tigris.org/
  17. UnitTest++ : http://unittest-cpp.sourceforge.net/  
  18. TestNG : http://testng.org/doc/  
  19. CppUnit : http://sourceforge.net/projects/cppunit  
  20. CppUnit2 : http://cppunit.sourceforge.net/cppunit-wiki/CppUnit2  
  21. Selenium : http://www.openqa.org/
  22. Agitar : http://www.agitar.com/  
  23. JTest : http://www.parasoft.com/jsp/home.jsp  
  24. PushToSoft : http://www.pushtotest.com/  
  25. Eclemma : http://www.eclemma.org/

프로젝트 관리

  1. OpenProj : http://openproj.org/openproj 
  2. dotproject : http://www.dotproject.net/
  3. Mantis : http://www.mantisbt.org/

커뮤니케이션 도구, 위키

  1. MoinMoin : http://moinmoin.wikiwikiweb.de/
  2. Confluence : http://www.atlassian.com/software/confluence/
  3. TWiki : http://twiki.org/
  4. SocialText : http://www.socialtext.com/  
  5. Springnote : http://www.springnote.com/ko

성능분석

  1. ANTS Load : http://www.red-gate.com/products/ants_load/index.htm  
  2. JunitPerf : http://www.clarkware.com/software/JUnitPerf.html  
  3. Jmeter : http://jakarta.apache.org/jmeter/

기타

  1. Structure101 : http://www.headwaysoftware.com/index.php  
  2. FreeMind : http://freemind.sourceforge.net/wiki/index.php/Main_Page  
  3. Capistrano : http://manuals.rubyonrails.com/read/book/17


 

출처 :   개발이 좋아 개발자가된 많은 사람들에게 말하고 싶은 이야기. by k16wire
           http://moai.tistory.com/notice/270 

반응형

[edit] Open-source products

  • Bandera — analyser for Java
  • Checkstyle — analyse Java and apply coding standard
  • ClassCycle — analyse Java class cycles and class and package dependencies (Layers)
  • CQual — A tool for adding type qualifiers in C
  • FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
  • Flawfinder — open source programming tool that examines C or C++ source code for security weaknesses.
  • Jlint — for Java
  • JsLint - online analyzer for JavaScript
  • Oink — collaboration of C++ static analysis tools
  • Perl::Critic - a static code analysis tool for Perl
  • Pixy — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities.
  • PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
  • PyChecker - The original static code analyser for Python.
  • pylint - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE.
  • RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.
  • Soot — A Java program analysis and compiler optimization framework
  • Sparse — a tool designed to find faults in the Linux kernel.
  • Splint — an open source evolved version of Lint (C language).

[edit] Commercial products

  • Aivosto Oy's - Project Analyzer - Static code analysis tool for VBA, and VB6/VB.net
  • Armorize Technologies CodeSecure - source code scanning (PHP, J2EE, ASP, etc.)
  • Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
  • checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
  • Checkmarx CxSuite - a suite of software which helps developers and auditors identify software security vulnerabilities. Company homepage (http://www.checkmarx.com)
  • ClockSharp - checks C# code against the Philips C# coding standard.
  • Compuware DevPartner - static code analyzer for .NET (C#, ASP.NET) with Visual Studio 2005 integration
  • Coverity Prevent — analyzes C, C++ and Java code.
  • DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
  • Fortify — helps developers identify software security vulnerabilities in C/C++, Java, JSP, Javascript, ASP.NET, C#, VB.NET, PHP, "Classic" ASP, VB, PL/SQL, T-SQL, XML and other languages.
  • FxCop — static analysis for Microsoft .NET programs based on IL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
  • Green Hills Software DoubleCheck - static analysis for C and C++ code.
  • HP Code Advisor - A static analysis tool for C and C++ programs
  • Intel Compiler Suite — The Intel compilers Intel C++ Compiler and Intel_Fortran_Compiler both offer static analysis.
  • IntelliJ IDEA — IDE for Java that also provides static code analysis.
  • Klocwork K7 — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
  • Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
  • LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • M Squared Technologies Resource Standard Metrics - source code analysis and metrics (Java, Javascript, etc.)
  • Microsoft Visual Studio - Visual Studio Team System includes a static code analyzer.
  • MZTools - MZTools 3.0 - Free Static Code Analysis, productivity enhancement tool for VBA.
  • NStatic - deep static analysis of C# code.
  • Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
  • Parasoft - static code analysis and security testing tools for Java, C, C++, C#, .Net, HTML, CSS, JavaScript, VSscript.
  • PC-Lint - A multiplatform static code analysis tool by Gimpel Software for C and C++. Also available for the GNU/Linux and Unix operating systems in the form of FlexeLint.
  • PolySpaceTM code verifiers by The MathWorks - Software verification for C, C++ and Ada
  • QA-C - deep static analysis of C for quality assurance and guideline enforcement.
  • ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
  • SemmleCode — object oriented code queries for static program analysis.
  • SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
  • Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
  • STAN — Structure Analysis for Java. Eclipse integrated visual dependency analysis, quality metrics and reporting.
  • Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
  • Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling) for C, C++, Ada, Java.
  • TorqueWrench - A static Java bytecode analysis tool by StackFrame, LLC.
  • Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
  • Viva64 — analyzes C, C++ code for detect 64-bit portability issues.
  • Veracode SecurityReview — an outsourced application security testing and remediation, C, C++, Java, .Net and other languages.
  • CodePro Analytix - Static code analysis for Java, integrated with Eclipse.
  • Sparrow - C/C++ memory-bug detecting static analyzer.

반응형

자바에서 가비지 컬렉션은 아주 중요한 부분을 차지하고 있다.
어플을 개발하면서 성능적 측면에서도 적지않는 영향을 주는 부분이다.
가비지 컬력션을 통해서 메모리의 상태를 모니터링하는 툴들이다.
1. 다운 사이트
http://java.sun.com/performance/jvmstat/               - Sun의 jvmstat.
http://docs.hp.com/en/5991-6757/ch03s04.html        - HP용 GC Viewer.
http://java.sun.com/developer/technicalArticles/Programming/GCPortal/  - GC관련 아티클 및 툴.
http://shark.ucsf.edu/gc/viewer/index.html
http://www.javaperformancetuning.com/tools/gcviewer/index.shtml
http://www.tagtraum.com/gcviewer-download.html

2. 특징

  • garbage collection데이터를 통해 성능 지표(throughput, accumulated pauses, longest pause 등)를 계산하여 보기 좋게 보여줌
  • GC Viewer같은 경우는 csv 포멧으로 데이터를 import할 수 있음
  • generation sizes를 변경하고 heap size를 설정하는 등을 통해 gc를 튜닝하는데 유용함

3. 플랫폼 별 설정 방법

  • Sun JDK 1.4/1.5 : -Xloggc:<file> [-XX:+PrintGCDetails]
  • Sun JDK 1.2.2/1.3.1/1.4 : -verbose:gc
  • IBM JDK 1.3.1/1.3.0/1.2.2 :n -verbose:gc
  • HP-UX JDK 1.2/1.3/1.4.x : -Xverbosegc
  • BEA JRockit 1.4.2/1.5 : -verbose:memory
  • 표준 : -Xloggc:<file> -XX:+PrintGCDetails

4. GC관련 아티클

<출처 : http://www.mimul.com/pebble/default/2008/01/09/1199887560000.html >
<출처: http://www.sjava.net/84 >

반응형

java exe wrappers
http://jsmooth.sourceforge.net/

jsmooth 를 사용하다가 splashscreen 을 사용하면
프로그램이 실행 되지가 않는다.. ㅡㅡ;
그리고 해당 아이콘(ico 아님) 가 같이 있지 않음 아이콘이 안보이는 단점
http://jstart32.sourceforge.net/
http://www.sauronsoftware.it/projects/kickstart/index.php
별다른 설정없이 exe 파일이 생성된다.
그냥 java -jar 를 이용한 그냥 심볼릭 파일 생성한다고 생각하면 될듯하다.
하지만 아이콘(ico)로 생성되기 때문에 별도의 이미지 파일이 필요 없는 장점.

java installers

http://nsis.sourceforge.net/
http://vainstall.sourceforge.net/
http://izpack.org/
반응형
0. Java Profiling API란?

프로파일러라고 함은 application의 문제를 진단하고 성능을 측정하기 위해서 사용하는 도구임.
Java관련한 application은 JVM의 정보를 가져와야 하는데 이를 위해서 자바에서 제공하는 API이다.

JVMPI for Java 1.3, 1.4
- 클래식 자바 가상머신에서 잘 동작하도록 설계되어 있음
- 이벤트 기반 모델 방식
- Sun에서 실험적이라는 표현을 사용하기도 하고 Java 1.6에서부터는 사용하고 있지 않음
- 이번 application에서는 Java 1.6이라 이 방식을 활용한 tool에 대한 조사는 하지 않음

JVMTI for Java 1.5 이상
- ByteCode Instrumentation(BCI)라는 방법을 통하여 사용함
- 모니터링하고자 하는 바이트 코드의 정확한 위치에 프로파일링 코드를 추가함으로써 수행함
- 아래에 설명되는 거의 모든 기술이 이 방식을 통해서 사용하고 있음

Profiling Tool은 정보수집/분석/정보수집 & 분석 을 담당한다.
따라서 수집만 하는 툴은 눈으로 직접 분석하던지 분석을 하는 툴을 따로 써야 한다.

관련자료 : http://openframework.or.kr/Wiki.jsp?page=JvmtiNjvmpi


1. Jstack

1.1 정보를 수집하는 Tool이다.
1.2 Thread Dump를 뜨는 자바의 기본적인 명령어이다.
1.3 윈도우는 Java 1.6에서부터 사용가능, 리눅스용은 Java 1.4부터 가능
1.4 사용방법
   - jps 를 이용해서 java의 프로세스를 찾는다 : C:\Java\jdk1.6.0\bin>jps -v
   - 발견한 PID를 이용해서 Thread Dump를 뜬다 : C:\Java\jdk1.6.0\bin>jstack 4740 > st.txt
    - Dump 내용 예시
      "hmux-127.0.0.1:6802-9" daemon prio=10 tid=0x9e3ad400 nid=0x17b9 runnable [0x9d3fd000..0x9d3fdfa0]
      java.lang.Thread.State: RUNNABLE
      at java.net.SocketInputStream.socketRead0(Native Method)
      at java.net.SocketInputStream.read(SocketInputStream.java:129)
      at com.caucho.vfs.SocketStream.read(SocketStream.java:175)
      at com.caucho.vfs.ReadStream.readBuffer(ReadStream.java:1012)
      at com.caucho.vfs.ReadStream.waitForRead(ReadStream.java:336)
      at com.caucho.server.port.TcpConnection.run(TcpConnection.java:598)
      at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:690)
      at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:612)
      at java.lang.Thread.run(Thread.java:619)
1.5 Dump 내용을 분석하는 법 : http://www.j2eestudy.co.kr/lecture/lecture_read.jsp?db=lecture0201_1&table=j2ee&id=24
1.6 장단점
    - 특별한 Coding 을 필요로 하지 않는다.
    - 문제가 발생한 시점에 명령어를 수행해서 Hang이 걸린 Thread의 정보를 찾아낼수 있다.
    - 눈으로 찾아야 하기에 연습을 통한 숙달이 필요하다.
1.7 참고자료 : http://kwon37xi.egloos.com/2871508


2. HPRof

2.1 정보를 수집하는 Tool이다.
2.2 Heap And CPU Profilling Agent 의 약자, JDK에서 기본적으로 제공해준다.
2.3 HPRof로 수집된 데이터를 Heap Analyzer로 다시 분석한다.
2.4 사용방법 (resin 3.1.X 기준)
    - resin.conf 파일을 오픈한다
   - JVM arguments 항목에 <jvm-arg>-agentlib:hprof=heap=sites,cpu=samples,file=d:\zeous\profiling.txt</jvm-arg> 넣는다.
2.5 수집데이터 예시
    TRACE 300539:
    java.security.ProtectionDomain.getCodeSource(ProtectionDomain.java:Unknown line)
    java.lang.ClassLoader.postDefineClass(ClassLoader.java:Unknown line)
    java.lang.ClassLoader.defineClass(ClassLoader.java:Unknown line)
    java.security.SecureClassLoader.defineClass(SecureClassLoader.java:Unknown line)
2.6 장단점
   - 데이터가 엄청나게 많이 생성된다 (모든 데이터를 다 기록하는듯)
   - JVM 옵션을 주고 서버를 구동시키면 한참 느려진다
   - 프로파일 데이터에 실시간 기록이 아니라 서버를 종료하거나 action (Ctr+break)을 해줘야 기록된다.
2.7 참고자료 : http://wiki.ex-em.com/index.php/HProf


3. ASM

3.1 정보를 수집&분석하는 Tool 이다.
3.2 BCI의 API 를 이용해서 가장 low 레벨로 컨트롤하는 방법임
3.3 HPRof가 모든 class에 대한 분석임에 반해 이 방법은 특정 클래스에 대한 action을 원하는 형태로 지정(코딩)할수 있다.
3.4 장단점
    - 특정 class에 대한 컨트롤이 가능하다(예, connection 연결이 몇번 호출되었는지 카운트가능)
    - 자유도가 높은 만큼 처음부터 코딩해야 한다.
3.5 참고자료
    - http://somnusong.tistory.com/275
    - http://asm.objectweb.org/index.html

4. Jconsole

4.1 정보수집 & 분석해주는 Tool이다.
4.2 JDK1.5 부터 포함된 로컬, 원격 자바 application 분석툴
4.3 자료수집 및 Swing으로 구성된 분석 UI까지 제공한다
4.4 사용법 (resin 3.1.X 기준)
    - resin.conf 파일을 오픈한다
    - JVM argument 항목에
      <jvm-arg>-Dcom.sun.management.jmxremote</jvm-arg>
      <jvm-arg>-Dcom.sun.management.jmxremote.port=1403</jvm-arg>
      <jvm-arg>-Dcom.sun.management.jmxremote.ssl=false</jvm-arg>
      <jvm-arg>-Dcom.sun.management.jmxremote.authenticate=false</jvm-arg> 넣는다
4.5 장단점
    - 자료를 수집하는 과정에서도 서버의 부하가 거의 없다.
    - 특별한 코딩을 하지 않고 분석된 자료까지 UI를 통해서 제공 받는다
    - id/password를 설정해서 입력받기도 가능한데 설정이 조금 까다롭다. (성공못하였음)
    - Jstack으로 생성되는 Thread Dump 의 자료는 모두 포함하고 있음
    - Jconsole을 다시 실행시키면 지금까지의 내용이 저장되지 않고 처음부터 다시 시작한다
4.6 참고자료
    - http://java.sun.com/javase/6/docs/technotes/guides/management/jconsole.html
    - http://sjchoi.wordpress.com/2007/01/10/jconsole-사용하기/
    - http://www.mimul.com/pebble/default/tags/jmx/


5. Jennifer

5.1 정보수집 및 분석을 해주는 상용 Tool이다
5.2 2주간의 무료 라이센스를 얻어서 테스트 가능하다.
5.3 Jconsole은 자료를 저장할 수 없는 단점을 상용 Tool답게 분석된 로그를 저장해서 가지고 있다.
5.4 사용법 (resin 3.1.x기준)
    - 설치메뉴얼 : http://www.jennifersoft.com:8080/man/viewer/DocumentViewer.jsp?id=abc385f1-e652-48e5-8616-e24b13014734
    - 설치메뉴얼 이외에 http_service_class = javax.servlet.http.HttpServlet;com.caucho.jsp.JavaPage 를 W11.conf에 넣어줘야 한다
    - localhost로 나와있는 정보를 모두 IP정보로 셋팅해준다
5.5 사용메뉴얼 : http://www.jennifersoft.com/docs/ko/77.html
5.6 장단점
    - 돈이 든다 ^^
    - 실시간 경고 및 모니터링에 뛰어난 장점을 보여준다.
반응형
반응형
오픈소스테스트툴이 있는 사이트다..
http://www.opensourcetesting.org/


성능테스트 툴 목록 사이트
http://www.opensourcetesting.org/performance.php

반응형
사용자 삽입 이미지

개발한 프로그램을 다른 유저의 컴퓨터에 설치할 수 있게끔 해주는 파일을 만들어주는 프로그램인 인스톨 팩토리 2.7 버전입니다.

이 프로그램을 찾으시는 분께서 프로그램의 사용방법을 찾으실 것 같진 않기에 특별히 설명을 적진 않겠습니다. 어차피 메뉴얼도 안에 동봉되어 있으니까요. 'ㅡ'a

 


인스톨 팩토리의 설치 라이센스 부분.


InstallFactory 2.70 - Freeware License


● InstallFactory 2.70의 사용으로 야기될 수 있는 어떠한 긍정적, 부정적인 결과에 대해서도 제작자는 그 책임을 지지 않습니다.

● InstallFactory 2.70은 개인, 단체, 기업의 상업적/비상업적 목적에 자유롭게 사용 될 수 있습니다.

● InstallFactory 2.70 자체는 제작자의 사전 동의없이 상업적인 목적으로 이용될 수 없습니다.

● InstallFactory 2.70을 다른 통신망이나 인터넷, 혹은 타인에게 배포할 때에는 이 설치화일의 형태로만 가능합니다.

● InstallFactory 2.70에 관한 문의는 e-mail주소 Chosmos@Chollian.net 로 하실 수 있습니다.

+ Recent posts