Whenever you work on a project, such as building a house or demolishing it, having the right tools for the job is essential. This concept is no different when testing an application, especially testing for security vulnerabilities. Several tools are available to make your job of looking for security flaws easier. Throughout the book, we mention several tools and even discuss some of their weaknesses.
This appendix enumerates some of the tools that we believe are helpful when hunting security bugs. The tools are organized into categories of interest. Remember, tools are always evolving. Sometimes today’s best tool is replaced by a better tool tomorrow. Seek out newer tools if you find the ones you are using don’t meet your expectations, and keep current as new tools become available that do a better job in helping you test.
Title | Description | Chapter |
|---|---|---|
Your brain | One of the most powerful security tools available is your brain. When testing for security bugs, you have to think maliciously and analyze how a developer might have intended a feature to work. No security tool can substitute for your own brain power. | All |
MSDN | Provides documentation about Microsoft technologies, downloads, and links to related information. | Several |
Threat models | An excellent process to help testers create actionable security test cases and help prevent security issues from being introduced into a product. http://msdn.microsoft.com/security/securecode/threatmodeling |
Title | Description | Chapter |
|---|---|---|
ActiveX Control Test Container | Allows for runtime probing and testing of some COM interfaces. http://msdn.microsoft.com/library/en-us/vcsample/html/vcsmpTSTCONActiveXControlTestContainer.asp | |
ActiveX Safety Detailer | Gives safety and other high-level details about a class ID. Available on the book’s companion Web site. | |
COMRaider | COMRaider includes a wide range of ActiveX testing including identifying safe controls, viewing type information, test case generation, fuzzing, debugging, and automated testing. | |
Component Services | Displays the DCOM objects installed on a computer. Comes installed in the Microsoft Windows operating system: dcomcnfg.exe. | |
Object Browser | Displays type information about COM objects. Available with Microsoft Visual Studio and Microsoft Office Visual Basic for Applications (VBA). | |
OLEView | Provides extensive ActiveX/COM interface information. http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/oleview-o.asp |
Title | Description | Chapter |
|---|---|---|
ASCII Table | A table that contains the numerical representations of characters. http://msdn.microsoft.com/library/en-us/vsintro7/html/_pluslang_ASCII_Character_Codes.asp | |
Character Map | Displays the hexadecimal values along with the glyphs for specific characters, as long as the characters have glyphs present in the font specified. Comes installed in the Microsoft Windows operating system: charmap.exe. | N/A |
OverlongUTF | Generates the overlong UTF-8 encodings for a character. Available on the book’s companion Web site. | |
Web Text Converter | Escapes a string into different formats or converts it back into its more readable format. Available on the book’s companion Web site. |
Title | Description | Chapter |
|---|---|---|
.NET Reflector | A class browser, code analyzer, decompiler for .NET-managed assemblies. | |
BoundsChecker | Allows compilation of an instrumented binary to help identify programming flaws. | |
C/C++ Code Analysis | Static code analysis tool that provides information about potential defects in C/C++ source code. http://msdn2.microsoft.com/en-us/library/d3bbz7tz(en-US,VS.80).aspx | |
Forty’s Source Code Analysis | Enables you to identify, track, fix security vulnerabilities in your application by analyzing the source code. | N/A |
FxCop | Analyzes Microsoft .NET Framework–managed code to make sure the assembly adheres to the.NET Framework Design Guidelines. | |
ILDASM | .NET Framework Intermediate Language (IL) Disassembler. Part of the Microsoft .NET Framework version 2.0 Software Development Kit (SDK). http://msdn.microsoft.com/netframework/downloads/updates/default.aspx | |
LCLint | Static code analysis tool that looks through the code for common cases of buffer overruns. | |
Prefast | Prefast is a static code analysis tool provided as part of Microsoft Visual Studio 2005. |
Title | Description | Chapter |
|---|---|---|
Gflags | Allows you to enable system-wide heap and object checks for an application. http://technet2.microsoft.com/WindowsServer/en/Library/6a183942-57b1-45e0-8b4c-c546aa1b8c471033.mspx | |
IDA Pro | A disassembler and debugger, plus several additional features useful for figuring out how an application works when you don’t have the source code. | |
Microsoft Debugging Tools for Windows | Several debugging tools for the Windows operating system. http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx | |
Microsoft Visual Studio | Microsoft’s premium application debugger and provides a rich set of UI and automatable debugging features. | |
NTSD | System and application debugger. Comes installed in the Windows operating system: ntsd.exe. | |
OllyDbg | A 32-bit debugger for the Windows operating system. |
Title | Description | Chapter |
|---|---|---|
eDoc | Binary editor that preserves the OLE DocFile format. | |
Filename Extension Information | Displays the information for an extension, such as the associated program to open or edit the file. Available on the book’s companion Web site. | |
HTML Help Workshop | Can be used to extract the contents of a Help file (CHM). http://msdn.microsoft.com/library/en-us/htmlhelp/html/hwMicrosoftHTMLHelpDownloads.asp | |
Resource Hacker | Used to examine the resources contained in a file. | |
Strings | Displays the Unicode or ASCII strings contained within a binary file. | |
WinHex | Universal hexadecimal editor, which is useful when editing different types of binary data, including memory and files. | |
XVI32 | A freeware hexadecimal editor, which can be used to edit binary files. http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm | N/A |
Title | Description | Chapter |
|---|---|---|
iDefense File Fuzzers | Three different fuzzers available for fuzzing files. These fuzzers modify input files, launch the application that handles the input file, and detect exceptions. | N/A |
Hailstorm | Commercially available network fuzzer. | N/A |
Peach | Cross-platform fuzzing framework written in Python. | N/A |
SPIKE | Framework for network fuzzing. | N/A |
Title | Description | Chapter |
|---|---|---|
AppVerifier | For testing applications for compatibility issues with the Windows operating system, including security issues, while the application is executed. http://msdn.microsoft.com/library/en-us/dnappcom/html/AppVerifier.asp | |
APIMon | Monitors and logs system API calls. http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38 | |
APISpy32 | Monitors API calls. | |
Dependency Walker | Shows module entry points and dependencies. | |
Detours | Code library that allows hooking APIs, which allows arbitrary code to receive an API call and return any response. | |
File Monitor (FileMon) | Monitors and displays file system, pipe, and mailslot activity on a system in real time. | |
Logger/LogViewer | Logs API usage at run time for later viewing. http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx | |
Performance Monitor (PerfMon) | Application collects and logs various metrics. Comes installed in the Windows operating system: perfmon.exe. | |
Process Explorer | Shows a lot of information about a process, including the handles and DLLs opened or loaded. | |
RegMon | Monitors applications that access the registry, including the data that is being read from and written to a registry key. | |
Strace | Traces which system calls are made by a specific process. UNIX: http://sourceforge.net/project/showfiles.php?group_id=2861 Windows operating system: http://www.bindview.com/Services/RAZOR/Utilities/Windows | |
Super Password Spy++ | Provides more information about specific windows. Similar to Spy++. http://www.codeguru.com/Cpp/I-N/ieprogram/security/article.php/c4387 | |
Winspector | Enumerates all of the windows and windows messages for a process running on the machine. |
Title | Description | Chapter |
|---|---|---|
Burp suite | Proxy application that can intercept and modify all HTTP and HTTPS traffic. | N/A |
Charles Web Debugging Proxy | A HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. It also useful for intercepting requests that are done using Asynchronous Javascript and XML (AJAX) and XMLHTTP. | N/A |
CreatePipe | A tool that allows you to create a named pipe with a given name and attempts to impersonate the user that connects to it. Available on the book’s companion Web site. | |
Ethereal | Enables you to monitor all network traffic, analyze protocols, and follow TCP steams. | |
Ettercap | A network man in the middle tool for generic packet interception and manipulation on a local area network (LAN). | N/A |
EvilServer | A tool that is included with Web Proxy Editor that enables you to easily mimic an HTTP server. Available on the book’s companion Web site. | |
Fiddler | A HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. | N/A |
IE Developer Toolbar | Enables you to test and interact with the IE DOM in order to help find script injection in the DOM. | N/A |
Imperva Inc.’s Interactive TCP Relay | Enables you to intercept and monitor any TCP traffic for the specified port. | |
Jiri Richter’s Man in the Middle | Enables you to intercept and monitor any TCP traffic for the specified port. Available on the book’s companion Web site. | |
Mac Makeup | Spoofs a MAC address on a Windows-based system. | |
Web Proxy Editor | Intercepts and enables you to manipulate HTTP and HTTPS requests. Available on the book’s companion Web site. | |
Netcat | Enables you to send and receive data across TCP or UDP network connections. Can act as a client or server. | |
NetStat | Displays the TCP/IP network connections on a machine. Comes installed in the Windows operating system: netstat.exe. | |
Network Monitor | Monitors and records all network traffic. http://msdn.microsoft.com/library/en-us/netmon/netmon/network_monitor.asp | |
Parosproxy | Proxy application that can intercept and modify all HTTP and HTTPS traffic. | |
PipeList | Displays all of the named pipes running on the system, including the number of maximum instances and active instances for each. | |
Port Reporter | Port Reporter logs TCP and UDP port activity on a local Windows-based system. | |
RpcDump | Displays all of the RPC endpoints located on a computer. http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/rpcdump-o.asp | |
Scapy | Tool that runs on Linux and allows packet manipulation, including data in the packet padding. | |
TCPView | Displays a detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. | N/A |
ViewPlgs | Views pluggable protocol handlers. Available on the book’s companion Web site. | |
WebServiceStudio | WebServiceStudio takes a URL of a WSDL, displays each method exposed, and calls the method with parameters of your choice. | |
WFetch | Tools to send arbitrary HTTP and HTTPS requests to a server. http://download.microsoft.com/download/iis50/Utility/5.0/W9XNT4/EN-US/wfetch.exe | |
WSBang | Tool used to perform security tests, including fuzzing, on SOAP-based Web services. |
Title | Description | Chapter |
|---|---|---|
AccessEnum | Views the permissions on the file system and registry, and is great for showing weak permissions on objects. | |
Component Services | Displays the DCOM objects installed on a computer. Comes installed in the Microsoft Windows operating system: dcomcnfg.exe. | |
GpResult | Displays the Resultant Set of Policy (RSoP) for a target user and computer. Comes installed in the Windows operating system: gpresult.exe. | |
LN | Creates a hard link to a file, but doesn’t require you to be an administrator. Available on the book’s companion Web site. | |
ObjSD | Shows the ACLs set on a security object, such as a file, registry key, named pipe, or service. Available on the book’s companion Web site. | |
PermCalc | Estimates the permissions a caller is granted on the public entry point for a .NET-managed assembly. Part of the .NET Framework 2.0 SDK. http://msdn.microsoft.com/netframework/downloads/updates/default.aspx | N/A |
WhoAmI | A command-line tool that can be used to display all of the groups that a user belongs to. |
Title | Description | Chapter |
|---|---|---|
SQL Profiler | SQL Trace utility that monitors the SQL statements executing on a Microsoft SQL Server. Available with SQL Server. | |
SQLInjection.tdf | A SQL Server Profiler template that can be used to view all of the queries, including the stored procedures in the calls they might make. Useful for detecting SQL injection bugs. Available on the book’s companion Web site. |