Page Load Time: Display page load time in toolbar without any effort. we don't need to use any other page load time tool or no need to go in Firebug->Network-> measure the load time of page.
Security / Penetration Testing Tools
Test your sites and web applications and perform a security assessment/audit of your work with these handy tools:
- Tamper Data : Use it to view and modify HTTP/HTTPS headers and post parameters, to trace and time http response/requests. You can security test web applications by modifying POST parameters.
- HackBar: This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code.
- XSS Me: XSS-Me is used to test for reflected Cross-Site Scripting. The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. The tool does not do port scanning, packet sniffing, password hacking or firewall attacks.
- SQL Inject Me: SQL Inject Me is used to test for SQL Injection vulnerabilities. The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. The tool sends database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
- Groundspeed
- Groundspeed allows input validation testing from the top-down, starting at the web application interface level instead from the HTTP protocol. Some of the practical uses of groundspeed include changing hidden fields, select drop down lists and other fields into text fields, removing size and length limitations on input fields and modifying JavaScript event handlers to bypass client side validation without actually removing it.
This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free. 1The application can detect SQL Injection + cross-site scripting issues. Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.
Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies. It can create simple reports (that can be exported into multiple formats) once ran. The tool is also multilingual and extensible with the add-on support.
Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data. It is built with Python and can detect:
The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.
It can check up to 100 web pages at once including web server and cross-site scripting checks.
Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications. It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.
It is a plugin for Fiddler (the awesome HTTP debugging proxy) and works as a passive-analysis tool for HTTP-based web applications. Watcher runs silently in the background and interact with the web-application to apply 30+ tests (where new ones can be added) while you browse. It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.
x5s is again a plugin for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability. It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.
WebScarab is actually a proxy to sniff the HTTP(s) traffic and manipulate it. However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and more.
This is the free and limited-featured version of a paid/pro product. It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities. And, if you are looking to improve yourself in the area of web application security and need to play with an application legally, there is DVWA (damn vulnerable web app.) which is there for just this purpose.
Mind-Mapping / Flow-Charts / Work-flow / UI Prototype Designing Tools
- Netsparker Community Edition (Windows)
- Websecurify (Windows, Linux, Mac OS X)
- Wapiti (Windows, Linux, Mac OS X)
- File handling errors (Local and remote include/require, fopen, readfile…)
- Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation…)
- Command execution detection (eval(), system(), passtru()…)
- N-Stalker Free Version (Windows)
- Scrawlr (Windows)
- Watcher (Windows)
- x5s (Windows)
- WebScarab (Windows, Linux, Mac OS X)
- Acunetix Free Version (Windows)
- Draw.io: draw.io is a free online diagram drawing application for workflow, BPM, org charts, UML, ER, network diagrams. This can also be connected on Google Drive. It works directly on your browser.
- Giffy: Professional-quality flowcharts, org charts, UML diagrams, network diagrams, wireframes, technical drawings and more. Gliffy works directly in your browser!
- xMind: XMind is an open source project, which means it's free to download and free to use forever. XMind Plus/Pro with more professional features are also available. Millions of people use XMind to clarify thinking, manage complex information, run brainstorming and get work organized.