Web漏洞利用框架

• BlindElephant - Web application fingerprinter.
• Browser Exploitation Framework (BeEF) - Command and control server for delivering exploits to commandeered Web browsers.
• Burp Suite - Integrated platform for performing security testing of web applications.
• Commix - Automated all-in-one operating system command injection and exploitation tool.
• DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
• EyeWitness - Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
• Fiddler - Free cross-platform web debugging proxy with user-friendly companion tools.
• FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• GitTools - Automatically find and download Web-accessible .git repositories.
• Kadabra - Automatic LFI exploiter and scanner.
• Kadimus - LFI scan and exploit tool.
• NoSQLmap - Automatic NoSQL injection and database takeover tool.
• OWASP Zed Attack Proxy (ZAP) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
• Offensive Web Testing Framework (OWTF) - Python-based framework for pentesting Web applications based on the OWASP Testing Guide.
• Raccoon - High performance offensive security tool for reconnaissance and vulnerability scanning.
• SQLmap - Automatic SQL injection and database takeover tool.
• VHostScan - Virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
• WPSploit - Exploit WordPress-powered websites with Metasploit.
• Wappalyzer - Wappalyzer uncovers the technologies used on websites.
• WhatWaf - Detect and bypass web application firewalls and protection systems.
• WhatWeb - Website fingerprinter.
• Wordpress Exploit Framework - Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
• autochrome - Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
• badtouch - Scriptable network authentication cracker.
• fimap - Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
• liffy - LFI exploitation tool.
• recursebuster - Content discovery tool to perform directory and file bruteforcing.
• sslstrip2 - SSLStrip version to defeat HSTS.
• sslstrip - Demonstration of the HTTPS stripping attacks.
• tplmap - Automatic server-side template injection and Web server takeover tool.
• wafw00f - Identifies and fingerprints Web Application Firewall (WAF) products.
• webscreenshot - Simple script to take screenshots of websites from a list of sites.
• weevely3 - Weaponized PHP-based web shell.