VS Code Extensions by Category
Compilers, for instance, are extensively tested to determine whether they meet the recognized standard for that language. It is commonly believed that the earlier a defect is found, the cheaper it is to fix it. Delivers a single administrative interface for manual, semi-automated, and fully automated test cases. Become an Expert JS Developer. Advanced user journey modeling, scalable load, system resources monitors and results analysis. Guide to the Software Engineering Body of Knowledge.
Easy building of complex request payloads, traversing of data within the responses, and chaining data from responses into the next request. Payload validation engine can perform a 'smart compare' of two JSON or XML documents without being affected by white-space or the order in which data-elements actually appear, and you can opt to ignore fields that you choose.
Express expected results as readable, well-formed JSON or XML, and assert in a single step that the entire response payload no matter how complex or deeply nested - is as expected Scripts are plain-text files and require no compilation step or IDE.
Java knowledge is not required. Requires Java 8 and Maven. From dev to live monitoring, all without having to write any code. With each test execution the platform saves the metrics. Know the latency and download times of every call, from various locations globally. True performance test, not just a ping test.
Cloud-based or on-premises solution - entire platform can be deployed internally with a Docker container. When there is an issue, the report contains a snapshot of the header information and the payload.
Created by Jakub Roztocil. Frisby tests start with frisby. Visually create and run single HTTP requests as well as complex scenarios. Save calls history, locally or to the cloud, and organize it in projects; build dynamic requests with custom variables, security and authentication.
Build tests that verify services are returning expected data and receive notifications when things go wrong. Free and paid plans available. Assertible - Tool for continuously testing your web services. HTTP requests are made to application's staging or production environment and assertions are made on the response to ensure your APIs and websites are running as expected.
Bench Rest - Open source Node. Ability to automatically handle cookies separately for each iteration; automatically follows redirects for operations; errors will automatically stop an iterations flow and be tracked. Allow iterations to vary easily using token subsitution. No dependencies, works with any unit testing framework.
A helpful library for unit testing your code. Has cross browser support and also can run on the server using Node. Services can be made "intelligent" so app under test can make API calls needed to get similar behaviour back as it would from the actual component. Fault injection to simulate real application behaviour. Free for up to requests. Source also available at https: Enables defining of JSON endpoints based on a simple template object. Namespace aware - have your mocks on your own domain.
Each space serves a domain on mockable. You can have as many spaces domains as you need. Mocks can also be served on your company DNS domain. Free and paid account types. Useful for testing to easily recreate all types of responses.
Isolate the system under test to ensure tests run reliably and only fail when there is a genuine bug, not due to dependencies and irrelevant external changes such as network failure etc. Set up mock responses independently for each test to ensure test data is encapsulated with each test, easily maintained, and avoid tests dependent on precursor tests.
Enables more efficient development by providing service responses even if the actual service is not yet available or is still unstable. X module that runs on a Vert. Or build and run MockServer directly from source code. Intercepts HTTP connections initiated by your app and returns recorded responses.
The first time a test annotated with Betamax is run any HTTP traffic is recorded to a 'tape' and subsequent test runs will play back the recorded HTTP response from the tape without actually connecting to the external server.
Tapes are stored to disk as YAML files. It will only work if the certificate chain is broken. WireMock An open source java library for stubbing and mocking web services, by Tom Akehurst. Unlike general purpose mocking tools it works by creating an actual HTTP server that your code under test can connect to as it would a real web service.
Capabilities include WSDL validation, load and performance testing; graphically model and test complex scenarios. Handles more than message types. Use environment variables to easily shift between settings - good for testing production, staging or local setups. Builds on jQuery and Bootstrap. Requires browser with HTML5 supoort. Simulate traffic via load agents that can generate load from Windows or Linux-based nodes using a mix of either on-premise or cloud traffic. Virtualize external APIs that don't allow or handle load tests very well.
Can reuse existing SoapUI Pro functional tests. SoapUI Pro paid version with more extensive features available also. Injects two types of faults: Can be used standalone or in combination with a debugger.
Customizable to support any XML protocol. Java application, runs on multiple OS's. SOAPSonar - Web services client simulation for service testing - for functional, automation, performance, compliance, and security testing; from CrossCheck Networks. Concurrent Virtual Clients - independent loading agents aggregate statistics for througput, latency, and TPS.
Ramp-up, ramp-down, and weighted scenarios. Vulnerability Analysis includes dynamic XSD mutation security testing with automatic boundary condition testing.
Risk assessment and risk mitigation extensible rule framework. Available as free personal edition, pro edition, server edition. Decouple your own process from time constrained access to external systems, quickly isolate bad actors and poor performers during integration and load testing. Enables developing and testing before your actual API is deliverable, enables testers to have control over simulated responses and error handling, and better deal with versioning problems and speed up resolution during continuous integration cycles.
WebInject - Open source tool in Perl, by Cory Goldberg, for automated testing of web services and apps. Can run on any platform that a Perl interpreter can be installed on.
Free 'Express' edition available. Reports can include metadata, access to log files, list of commands and responses, screenshots, screencast, etc. SauceConnect available for secure tunneled testing of local or firewalled sites.
Plugins available for Travis, Jenkins, Bamboo, more. For all major browsers. Keeps track of new browser releases and updates. Reports contain browser specific full-page and original-size screenshots. See and interact with multiple different browsers side by side - all Browsers stay fully interactive. Navigate and reload in all browsers simultaneously. Capabilities include Selenium integration.
With 1 click you get an instant selenium maintenance-free auto-scaling cross browser testing infrastructure. The grid environment is updated regulary to support new browsers and selenium versions. Videos of every test are available for debugging. CrossBrowserTesting - Test your website in dozens of browsers and real devices; over one thousand combinations of browsers, OSs, and devices - not emulators. Test your sites on more than browsers across more than 40 operating systems, including iOS, Android, Windows, Mac and more.
Works with selenium automation. Can work with test sites that are behind firewalls. Lunascape - A free 'triple engine' web browser from Lunascape Corp.
By clicking the smart engine-switch button next to the address bar, a user can switch rendering engine for any page, enabling running and testing of a website in multiple rendering engines.
Also included is a 'switch user agent' capability. Capabilities include selenium automation integration, tunneling to any local server environment, HTTPS. Mobile testing via emulators. Stacks include a wide variety of developer tools. Microsoft provides virtual machine disk images to facilitate website testing in multiple versions of IE, regardless of the host operating system.
Requires Virtual Box, Curl, Linux. TestingBot - Cloud-based automated cross-browser testing service from TestingBot - utilize Selenium tests to run in the cloud on the TestingBot grid infrastructure. Compose a Selenium test with simple commands. Also allows running tests at a specific time and interval, with failure alerts. Manual testing capability also. Turbo - Turbo formerly Spoon is a lightweight, high-performance container platform for building, testing and deploying applications and services in isolated containers.
The runtime environment of Turbo containers is supplied by the Turbo Virtual Machine or SVM, a lightweight implementation of core operating system APIs, including the filesystem, registry, process, and threading subsystems. Containerized applications consume only a small percentage of additional CPU and memory consumption relative to native applications.
Turbo overhead is generally negligible. For manual browser testing, you can run any version of any browser in a container or build a custom browser container with components like Java and Flash.
The automated testing solution allows running tests with Selenium on the Turbo web-based Selenium Grid that utilizes your browser containers on your local machine to minimize your testing environment setup. Browsers and test scripts can run on your local machine, so there is no need for any special proxy configuration or modifications to the URL when testing an internal site. Supports Chrome, Firefox, and IE. Hosted, Enterprise, and ISV licensing; free and paid versions.
Utilu - Free utilities from Utilu that contain collections of standalone versions of IE or Firefox browsers; multiple versions can be used at the same time. Utilu Mozilla Firefox Collection contains more than ten versions of Firefox English versions only ; also includes the Firebug and Web Developer add-ons and Flash player; configurable to install only specified desired version.
Supports upgrading - no need to uninstall a previous version before installing a newer version. Utilu IE Collection contains more than ten versions of Internet Explorer English versions only ; configurable to install only specified desired version; original version number is shown correcty in the User Agent string; version number also shown in window title; includes the IE Developer Toolbar. Screenshot comparison function 'Onion Skin' or 'Side-by-Side'.
Each browser is virtualized into a single exe, enabling you to run multiple web browsers side by side locally on a single PC. Can run different versions of each browser simultaneously. Integrated screenshot comparison tools, assess differences visually with onion skin and animated overlay screenshots comparisons. Preview web site across multiple devices and resolutions from iPhones to desktop computers in a single click. IE Netrenderer - Free site allows you to check how a website is rendered by Internet Explorer from current versions back to 5.
Just type in a URL. Able to process a large number of capturing jobs in parallel and in realtime, making for fast service. Litmus - Cross-browser testing service from Salted Services Inc.
Note that some tools in the this section also have cross-browser testing capabilities and some have visual regression testing capabilities. Provides project templates for organizing test cases, object repository and keywords. Scripts can be edited or created in Groovy.
Runs test cases or test suites using multiple configurations and data sets. Dynamic failure handling and auto re-execution. Includes run-time rules to automatically handle complex execution flows. Advanced logging, debug data and screenshots. WebdriverIO - An open source testing utility for nodejs. Lets you control a browser or a mobile app with minimal lines of code. Removes the cumbersome setup work and manages the Selenium session for you.
The test runner comes with a variety of hooks that allow you to interface into the test process in order to e. This is used by WebdriverIOs services to integrate your tests with 3rd party tools like Appium.
Built-in test recorder, object repository, data repository. Smart Recorder for All Browsers. Secured Tunnel to test applications hosted behind your firewall. Test editor to create your new test or modify existing one with more than Keywords to perform all possible actions on your application. Full access to devices. Capture screenshots, device logs, crash report and device video sessions. Measure CPU utilization of device and app; memory consumption; get detailed analysis on memory consumption of app and its processes; track Battery drainage.
For manual testing, automated testing, and performance testing. Jenkins plugin available; API's available for integrating with other tools. Public cloud, private cloud, and on-premises cloud options.
Qualitia - Test automation tool provides step-wise approach to quickly build test automation and handle complexities easily with unique criptless approach. Default priorities are set based on best practices; however flexibility in altering defaults is available. Includes test case management capabilities. For Win, Linux, Mac and Unix. Capabilities include auto-generation of: Gauge - Open source light weight cross-platform test automation tool for authoring test cases in business language, from ThoughtWorks.
Replaces previous Twist tool. Has a rich markup based on markdown; support for writing test code in any programming language currently java, ruby, C Modular architecture with plugin support. Screenshots can be taken at any step s in tests. Simplified automation setup using predefined commands Test runs use real browsers and can be set to run a predefined intervals.
Each test can have up to 13 steps. For Firefox, IE and Chrome. Certify - Test automation management tool from WorkSoft, Inc. For managing and developing test cases and scripts, and generating test scripts. After recording a script it can be played back in the script editor to check for and resolve errors. Scripts can be saved to a local file and manually edited to inject certain verification steps, add time delays, timeout counters, or screen shots via the script editor and add the necessary tasks.
The script player can automatically replay at set configurable intervals from a local machine. Playback results are recorded on your local machine, and you can set the player to send email alerts if any errors are detected. Scripts can also be uploaded and run from Dotcom-Monitor's locations around the world. RoutineBot - A functional test automation tool from AKS-Labs that enables creation and execution of tests based on image patterns.
Usetrace - Software testing service designed for agile, continuous development environments, from Usetrace Ltd. Automated tests are called traces, which are visual descriptions of the user paths through the application under test. Traces are made by interacting with your site as your users would.
Usetrace records these interactions into modules that can be reused, building a highly maintainable automation test suite for your app's UI. Tests on IE, Firefox and Chrome. Useful for doing functional tests, page automation, network monitoring, screen capture, etc. Similar to PhantomJs which is built on top of Webkit , except that it runs on top of Gecko, the browser engine of Mozilla Firefox, instead of Webkit, and is not yet truly headless.
Page rendering in SlimerJS is strictly identical to the rendering in Firefox. It enables functional testing of web applications with an isolated test database, isolated from the DB of the tested application. Other enhanced capabilities include: ChemistryKit - Framework for Selenium WebDriver was designed to help get started with Selenium WebDriver quickly, to grow as needed, and to avoid common pitfalls by following convention over configuration.
Ruby; Built on top of RSpec. Makes it simple to encapsulate data about a particular user that is "using" your application that you are testing.
Users are called "chemists". When you create a new test harness there will be a chemists folder; in this folder you can create any number of files with arbitrary user data,.
OS agnostic - run tests on Win, Mac or Linux. Run tests on remote computers and mobile devices, in multiple browsers and on multiple machines simultaneously. Ships with powerful built-in visual test recorder, and can execute generated tests on demand or as part of a CI system. Community Edition [Zapfree] is a no-cost, entry-level test automation technology for users interested in ad-hoc software testing cross-platform. HttpMaster - Web app test automation tool from Borvid.
Key features are dynamic parameters, response data validation rules, response data viewers, properties to fine tune web requests, intuitive user interface, and 'quick help' buttons. Express Free and Pro verdsions available. NET Framework or Mono. Delivers a single administrative interface for manual, semi-automated, and fully automated test cases.
Can verify that a GUI element has certain appearance or contains a certain subimage inside or near it. Recorder, component inspector, RIAScript scripting language and debugger. GEB - Open source cross browser automation tool leverages the WebDriver library for browser automation - Works with any browser that WebDriver works with. Supports remote and headless browsers. Comes with four drivers out of the box: Selenium - Open-source tool set, originally from Thoughtworks. Works with most browsers and OS's.
Drivers available for most browsers. Watir - 'Web Application Testing in Ruby', an open-source family of web automation libraries in Ruby. For a listing of additional tools that are available to extend some capabilities, see the Watir site. Fast and native support for various web standards: Can use for general command-line based testing, within a precommit hook, and as part of a continuous integration system.
Can create web page screenshots with thumbnail preview. Available as executable binary for Win, Mac, Linux. Rapise - Functional test automation platform from Inflectra, Inc.
View current and previous test results in Jubula client; automatic screenshot on error. Patterns for web sites can be designed by using the point-and-click editor as an Eclipse Plugin. Tests can be recorded by using the point-and-click recorder in all supported web browsers IE, Firefox, Safari and immediately be replayed in all other browsers without modification.
Janova - A web-based, automated web testing tool that runs functional tests securely in the cloud. Users configure Janova using project structures of Features test scripts , Pages and Flows to access their web-based application and define the requirements of the site in English. Features describe how the application is supposed to work; once a feature has been created, a user defines what verification elements are supposed to be on the web page. Includes detailed test results reports.
Test maintenance is faster using web element abstraction techniques. Scripting with C and VB. Test can be re-run whenever needed or as scheduled. Cloud load testing and site monitoring services also available. Tellurium - Web-based test tool - no installation, and no tests taking over your machine; log in and begin managing your tests and collaborating with your team.
Uses domain-specific language 'PBehave'. Robust test case management - organize your test suite as much or as little as you like with groups, tags, and playlists.
Easily relate tests by area of functionality, type, owner, or any other category, then view and run those tests with a click. Real-time email notifications with test results; schedule recurring test runs; reuse tests for functional testing, smoke testing, monitoring, and more. Write flexible tests using test data and custom phrases.
Application modeling with graphs - state chart XML SCXML with drag and drop user interface running on standard browser; many test sequencers test generation to meet different testing needs, test automation with Java or mScript XML-based scripting , statistical analysis on test executions and virtual concurrent users for load testing.
Ruby gem also available. It is inspired by and aims to replace Webrat as a DSL for interacting with a web application. Automatically waits for your content to appear on the page - manual sleeps not needed. It is agnostic about the driver running tests and as of comes bundled with support for Rack:: Test and Selenium support built in.
It is similar to Culerity which drives Celerity which also drives HtmlUnit. Mechanize - Open source Ruby library for automating interaction with websites; automatically stores and sends cookies, follows redirects, can follow links, and submit forms.
Form fields can be populated and submitted. Also keeps track of the sites visited. It's a mashup of Selenium and FitNesse: Inc with robust automated testing capabilities.
Tasks can be developed via drag-and-drop without writing code. Runs on Windows platforms. Can use variables inside the macros, and import data from CSV files. Includes user agent switcher, PDF download and Flash, ad and image blocking functions.
Includes modules for testing web applications through either IE or FireFox, and modules for testing Swing and. NET WinForm applications also.. Works with any web application on any browser, any operating system. The same script works on all browsers. The Sahi Controller helps easily identify and experiment with elements on any browser. APIs to easily locate one element with respect to another. Eliminates need for wait statements even for inconsistent page loads and AJAX.
Execute tests in parallel on one machine or distribute it across machines. Can run from command line. Free Shai OS open source limited version also available. Fitnesse - A lightweight, open-source framework that makes it easy for software teams to collaboratively define Acceptance Tests -- web pages containing simple tables of data inputs and expected outputs, and run those tests and see the results.
FitNesse is a web server. WebFT - Web-centric functional testing solution from Radview, supports both established and emerging web technologies. Provides a visual environment for creating Agendas scripts that include test recording, editing, debugging, verification and reporting features.
Has many features like multiple parameter based object identification for more reliable object recognition, support for XML Based Object Repository and more. Scripting in Ruby; written in Ruby. Regression Tester - Web test tool from Info-Pack. Create, run and debug functional and regression tests for web applications.
Freeware; downloadable jar file. Can be run via a GUI front-end or via command line tools. Can execute tests in a debugger allowing setting breakpoints and stepping through test scripts. Functional tests are pure Python scripts using the pyUnit framework. Designed for end users who are doing web based software testing, as a simple tool to record test scenarios, and play them back and generate log files.
The user may also check for text or images on the screen or save screenshots. Soda - Selenium Node. Supports multiple browsers and versions. It helps users to create, organize and execute functional unit tests. Includes a test runner with GUI interface. QEngine - Automated testing tool from Zoho Corp. For Linux anx Windows.
Support for development controls such as Developer Express, Telerik and Microsoft among others. Advanced framework for writing test scripts in Java similar to open-source frameworks like HttpUnit, HtmlUnit etc.
Provides a high-level API for navigating a web application combined with a set of assertions to verify the application's correctness including navigation via links, form entry and submission, validation of table contents, and other typical business web application features. Utilizes HttpUnit behind the scenes. The simple navigation methods and ready-to-use assertions allow for more rapid test creation than using only JUnit and HttpUnit.
SimpleTest - Open source unit testing framework which aims to be a complete PHP developer test solution. This includes web page navigation, cookie testing and form submission. WinTask - Macro recorder from TaskWare, automates repetitive tasks for Web site testing and standard Windows applications , with its HTML objects recognition, keystroke and mouse handling.
Includes capability to expand scope of macro scripts by editing and adding loops, branching statements, etc. For IE, Firefox, Chrome.
XML-based test script code is editable with user's preferred XML editor; until recording capabilities are added, scripts have to be developed manually. Can group tests into a testsuite that again can be part of a bigger testsuite. Standard reporting XSLT stylesheets included, and can be adapted to any reporting style or requirements.
Handles Applets, Flash, Active-X controls, animated bitmaps, etc. Special validation points, such as bitmap or text matching, can be inserted during a recording, but all recorded items are validated and logged 'on the fly'.
It can test thousands of test scenarios without use of any scripts. Allows creation of completely new test scenarios without ever having performed that test before, all without changing tool, testware architecture object names, screen names, etc , or logic associated with the engine. Testers enter test data into a spreadsheet used to populate objects that appear for the particular test scenario defined. Badboy - Tool from Bradley Software to aid in building and testing dynamic web based applications.
Free for most uses; source code available. Perl module that allows a user to automate use of IE via Perl scripts; Written in ActivePerl, allowing inheritance of all Perl functionality including regular expressions, Perl dbi database access, many Perl cpan library functions. Easy development and maintenance - no need to keep track of GUI maps for each window.
HTTP requests and responses are fully displayed in order to inspect and customize their content. Allows the attachment of extraction or replacement rules to any HTTP message content, and assertions to responses in order to validate a scenario during its playback. Ideally suited for automated unit testing of web sites when combined with a Java unit test framework such as JUnit. Emulates the relevant portions of browser behavior, including form submission, basic http authentication, cookies and automatic page redirection, and allows Java test code to examine returned pages as text, an XML DOM, or containers of forms, tables, and links.
Includes ServletUnit to test servlets without a servlet container. Records any combination of browsing, form filling, clicking, script testing and information gathering; assists user during the recording with visual feedback. Power users can manually edit a recorded macro. A command line interface allows for easy integration with other test software. Can handle data input from text files, databases, or XML. Can extract web data and save as CSV file or process the data via a script.
MaxQ - Free open-source web functional testing tool from Tigris. Works as a proxy server; includes an HTTP proxy recorder to automate test script generation, and a mechanism for playing tests back from the GUI and command line. Jython is used as the scripting language, and JUnit is used as the testing library.
It analyses the underlying intentions of the script and executes it by direct communication with web page elements. IntelliScripting logic removes the reliance on specific browser window sizes, component location and mouse movements for accurate replay, and for easier script maintenance. Playback can run in background while other tasks are performed on the same machine.
NET, and web-based applications. Enables data-driven testing, choice of scripting languages and editors. For Windows and Linux. Cucumber - Open source tool for executing plain-text functional descriptions as automated tests - it supports BDD Behavior-Driven Development.
Stories can be run on command-line typically for continous-integration or in any modern Java IDE that supports unit testing frameworks JUnit supported by default, but any test framework can be easily adopted. Scenarios can be written in JBehave syntax or Gherkin syntax. Capabilities include screenshots, stack traces, results breadcrumbs, integrates well with Selenium WebDriver.
Concordion specifications use an attractive stylesheet that makes them easy to read. Supports 3 levels of usage: Serenity - An open source automated acceptance tests reporting java library. Helps structure your automated acceptance tests in order to make them easier to understand and maintain, and provides great reporting capabilties on top of tools like JBehave, Cucumber or JUnit.
Also provides tight integration with WebDriver, to make automated web testing easier and more efficient. Works in two ways: For example, you can get Serenity to report on what requirements, features or stories you have implemented, and how well or not they were tested.
SpecFlow - Cucumber for. BDD tool to define, manage and automatically execute human-readable acceptance tests in. NET framework, Xamarin and Mono. Integrates with Visual Studio, but can be also used from the command line e. Supports multiple testing frameworks: AppSpider - Web application security testing tool from Rapid7 includes interactive actionable reports that prioritize the highest risk security issues and streamline remediation efforts.
Can drill deep into a vulnerability to get more information and replay attacks in real-time. Provides interactive actionable reports that behave like web pages with effective organization and links for deeper analysis. Veracode Web Application Scanner - Web application scanning tool from CA Technologies; discovers and inventories all of your external web applications, then performs a lightweight scan on thousands of sites in parallel to find critical vulnerabilities and helps you prioritize your biggest risks.
As a second step, you can run authenticated scans on critical applications to systematically reduce risk. Offers multiple scanning technologies on a single platform, so you get unified results, analytics, and increased accuracy. Brakeman - Open source ruby static code analysis tool checks Ruby on Rails apps for security vulnerabilities. W3af - Web Application Attack and Audit Framework, an open source web application security scanner which helps developers and penetration testers identify and exploit vulnerabilities in their web applications.
Has a graphical and console interface; written in python. Helps automatically find security vulnerabilities in your web applications while you are developing and testing your applications.
Also useful to experienced pentesters for manual security testing. Checkmarx CxSAST - Static code scanning tool from Checkmarx provides the ability to find vulnerable lines of code and learn how to fix them. Supports 20 coding and scripting languages and their frameworks. Incremental scan capability only analyzes new code or modified code.
Provides full path coverage, ensuring that every line of code and every potential execution path are tested. NET, Ruby, and more.
Supports over compilers and many popular IDE's. InsightAppSec - Cloud-based web application security scanner from Rapid7. Analyzes site exposure risk, ranks threat priorities. Provides a replay capability for each vulnerability, so that after a developer. Provides actionable insights with reports that speed remediation. Its various tools work together to support the entire testing process, from initial mapping and analysis of an app's attack surface, through to finding vulnerabilities.
Can combine advanced manual techniques with state-of-the-art automation, to enable faster and more effective security testing. An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application; an application-aware Spider, for crawling content and functionality; an advanced web application Scanner, for automating the detection of numerous types of vulnerability; an Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities; more.
Extensible, allowing writing of custom plugins. Score reported as a grade A-F. Detailed analysis syntax, validity, trustworthiness of HTTP headers that may impact web server, web application or website visitors security or privacy; analysis of HTTP methods that may put web server, web application or website visitors at risk; detailed analysis of web application cookies for secure attributes that may improve web application and website visitors' security and privacy.
ParosPro - Web security auditing platform from Milescan Technologies. Capabilities include a network spider to collect information about a site's hierarchy; vulnerability scanning based on plug-ins written to target common web vulnerabilities, including many popular Content Management Systems vulnerabilities; simulates hacker attacks; scan scheduling; more.
Prepares interactive sitemap by carrying out a recursive crawl and dictionary-based probes. The map is then annotated with the security check output. The final output report is meant to serve as a foundation for professional web application security assessments. Goals for the tool are stated as: Raw speed; Unique brute-force capabilities: Includes a variety of open source and free tools web pen testing tools. Includes reconnaissance, mapping, discovery, and exploitation tools, and a pre-configured wiki set up to be the central information store during pen testing.
Tarantula - Open source tool from Relevance Inc. Provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, its potential severity, and potential remedies. Also performs some basic analysis to try to rule out conditions that are obviously not problems. As the name implies, it provides a rough analysis of source code, and will not find all errors, and will find things that are not errors; can be used as an aid to manual code inspection.
Not updated since Tries virtually every attack combination, intelligently starting with the most likely scenarios and detects application anomalies which indicate a successful attack. Provides a complete report with the facts and recommendations needed to take corrective action. Powerfuzzer - Open source automated customizable Web fuzzer; based on many other Open Source fuzzers available and information gathered from numerous security resources and websites.
Capable of spidering website and identifying inputs. Capable of identifying common web vulnerabilities incl. Project leader is Marcin Kozlowski.
Commercial version Powerfuzzer Online available as an online service. Wapiti - Open source vulnerability scanner for web applications. Uses Python; no SSL support. Upon completion of the scan, merchants have access to an auto-generated PCI Security Standards Council certified report. The scan report clearly indicates whether the merchant's payment network is secure, in which case the merchant may download the report and submit it to the acquiring bank.
Provides full vulnerability scanning, pen testing. Powerful Cloud Security Scanner find vulnerabilities on websites: Netsparker - Web application security scanner from Mavituna Security with integrated exploitation features to allow users to exploit the identified vulnerabilities and see the real impact of the problem. Via desktop or online service. Kyplex Cloud Security Scanner - Cloud-based web site security scanning service - no installation or network modifications required. Capabilities include cross site scripting attacks XSS , detects hidden directories and backup files, looks for known security vulnerabilities, searches for SQL Injection vulnerabilities, more.
Finds complex security breaches and web server configuration errors, as well as zero-day vulnerabilities. Fortify - Security product suite from Microfocus formerly HP, formerly Fortify Software includes vulnerability detection. Integrates static source code analysis, dynamic runtime analysis, and real-time monitoring to identify and accurately prioritize the greatest number of critical security vulnerabilities. Capabilities include the Program Trace Analyzer PTA that finds vulnerabilities that become apparent only while an application is running - integrate into a QA test to find vulnerabilities while a functional test is being conducted on an application.
Capabilities include auto-population of forms, exportable XML-based reporting. Trustwave AppScanner - Automated security testing tool set for web applications, web services and cloud and mobile apps, from Trustwave Holdings Inc. Available as a cloud-based on-demand service or installed on-premises app.
Looks at actual behavior, as opposed to code strings, thus preventing excessive false positives. Centralized dashboard instantly displays application risk scores and tracks trends over time, and provides threat prioritizations. GamaSec - Automated online website vulnerability assessment delivers proactive tests to Web Servers, Web-interfaced Systems, and Web-based Applications. Wikto - Web server security assessment tool for windows servers, open source, from SensePost.
It's three main sections are its Back-End miner, Nikto-like functionality, and Googler to obtain additional directories for use by the other two. Includes ability to export results to CSV file. Scan items and plugins are frequently updated and can be automatically updated. Ability to test the dynamic behavior of running web applications and services to identify security vulnerabilities and integrating runtime analysis to expand the attack surface to identify issues in hidden directories and pages that go undetected by black-box testing alone.
Provides details and priorities of each vulnerability. Assessment module can be used by auditors and compliance officers to conduct comprehensive audits, and to validate compliance with security requirements. This includes, but is not limited to, routers, switches, firewalls, desktop and server systems, laptops, PDAs, cell phones and other mobile systems, as well as a large number of various embedded systems. Because several protocols from this category are often tightly coupled with the underlying operating system, serious flaws in handling them may easily result in total system compromises.
SecurityMetrics Vulnerability Scan - Service from SecurityMetrics that analyzes external network devices like servers, websites, firewalls, routers, and more for security vulnerabilities which may lead to interrupted service, data theft or system destruction. Includes instructions to help immediately remedy security problems. Testing capabilities across network, web, mobile, and wireless. Uses penetration testing techniques to safely identify exposures to critical, emerging threats and trace complex attack paths.
Snort - Open source network intrusion prevention and detection system from Cisco; capable of performing real-time traffic analysis and packet logging on IP networks. Nessus - Vulnerability scanner from Tenable Network Security with high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of security posture.
Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks. Free for home users; annual fee for Professional license.
Includes scripting language for writing custom plugins. Security Center - Security management tool from Tenable Network Security for asset discovery, vulnerability detection, event management and compliance reporting for small and large enterprises. Includes management of vulnerability, compliance, intrusion and log data. Updated regularly; CVE compatible.
Includes DoS testing, reports specify severity levels of problems. Single machine or full network scans. Runs on many UNIX flavors.
NMap Network Mapper - Free open source utility for network exploration or security auditing; designed to rapidly scan large networks or single hosts.
Includes various types of security tools, not just for testing. Monitis - Monitoring service - websites, networks, cloud, servers, apps with a unified dashboard. Website uptime and response time, Server health, Network performance, Custom metrics, and more. Easy-to-use API, integrations and plug-ins; archived performance history is stored for 2 years.
More than 35 strategic monitoring locations. Easily deployed on-premise or from multiple locations throughout the world and captures real-time end-user experience with notifications and crowd-sourced benchmarks. From Exoprise Systems Inc. Web Performance Monitor - Monitoring service from Solarwinds Worldwide LLC; key features include continuous synthetic transaction monitoring, detailed load-time metrics, monitor from multiple locations, browser-based transaction recorder, transaction recording.
Dynamic languages here are generally pretty solid. To use opposite extremes here, the difference here is pretty clear. For the same reason as correctness checking, doing refactorings that get more complex than a global string search and replace start to seriously suck in dynamic languages.
If you want to delete a method with a common name, or get autocomplete on an object passed into a function, you might be shit out of luck. In Python this looks like pdb. In the middle of your breakpoint, you can define new functions, invoke arbitrary functions, write data to files — whatever you want. This is arguably the biggest downside of statically typed languages. Type checking, as it turns out, is frequently slow. And since in most of these languages, type resolution is pre-requisite to code generation, slow type checking means slow compiling.
Slow compiling means slow iteration time. Suffice to say, this was not a fun experience. If your Post and Picture classes both have a. And if you do decide to do it manually because you need to go manually decide on that second argument value at all the new call-sites, no problem — your compiler will quite happily tell you if you done goofed or not.
The level of safety you get here varies wildly by language. Statically typed languages kill it here. Since, by definition, the type of every variable must be known without needing to execute the code, your editor can be quite confident which operations are valid on which variables, and helpfully autocomplete them. It can also facilitate things like field renaming, automatic documentation lookup, consistently working go-to definition, and go-to usages. My experience varies here, but for the most part have been displeased by my debugging experiences in statically typed languages.
While gdb and friends will let you evaluate certain expressions, you lose the ability to do arbitrary manipulations like define debugging helper functions or easily write function invocations on anything templated.
But back to types. Why do I need to specify the type information twice? This feels super dumb. More generally, if I do:.