Tools

Burp Suite

Extensions

• Extensions: https://github.com/snoopysecurity/awesome-burp-extensions
• Turbo Intruder: https://github.com/PortSwigger/turbo-intruder

References

• Burp Suite Pro Real-life tips & tricks: https://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf

Password Attacks

• W3brute - Automatic Web Application Brute Force Attack Tool: https://github.com/aprilahijriyan/w3brute

ADAPT

ADAPT is a tool that performs automated Penetration Testing for WebApps.

* OTG-IDENT-004 – Account Enumeration
* OTG-AUTHN-001 - Testing for Credentials Transported over an Encrypted Channel
* OTG-AUTHN-002 – Default Credentials
* OTG-AUTHN-003 - Testing for Weak lock out mechanism
* OTG-AUTHZ-001 – Directory Traversal
* OTG-CONFIG-002 - Test Application Platform Configuration
* OTG-CONFIG-006 – Test HTTP Methods
* OTG-CRYPST-001 - Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
* OTG-CRYPST-002 - Testing for Padding Oracle
* OTG-ERR-001 - Testing for Error Code
* OTG-ERR-002 – Testing for Stack Traces
* OTG-INFO-002 – Fingerprinting the Webserver
* OTG-INPVAL-001 - Testing for Reflected Cross site scripting
* OTG-INPVAL-002 - Testing for Stored Cross site scripting
* OTG-INPVAL-003 – HTTP Verb Tampering
* OTG-SESS-001 - Testing for Session Management Schema
* OTG-SESS-002 – Cookie Attributes

• GitHub: https://github.com/secdec/adapt

Hawkeye

Project security, vulnerability and general risk highlighting tool. It is meant to be integrated into your pre-commit hooks and your pipelines.

• GitHub: https://github.com/hawkeyesec/scanner-cli

Other

• Adobe Experience Manager (AEM) hacker toolset: https://github.com/0ang3el/aem-hacker

Practice Tools

• https://www.owasp.org/index.php/OWASP_Hacking_Lab
• http://www.dvwa.co.uk/
• http://www.itsecgames.com/
• Damn Vulnerable Serverless Application: https://www.owasp.org/index.php/OWASP_DVSA
• https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:889485553959:applications~DVSA