Review and update tool list (appendix A)

[rbsec]

Looking at Appendix A - Testing Tools there are a few issues:

• The sslyze repo linked hasn't had any updates for 6 years
• The sslscan version linked is the abandoned sourceforge project
• The version of John the Ripper linked is the original OpenWall version (last release was May 2019), rather than the more up to date version on GitHub
• Some of the browser extensions are a bit outdated ("Session Manager" for Chrome was last updated in 2016), and it's not immediately clear which browsers they're for.
• The title for sqlmap ("Bernardo Damele A. G.: sqlmap, automatic SQL injection tool") is rather odd, and doesn't fit the with the rest of the list.
• BDD Security hasn't been updated for since August 2018
• The various Linux distros listed are under the "Commercial Black-Box Testing Tools" heading
• Some of the tools aren't really appropriate for webapp testing (OllgyDbg?)

There are also quite a few commercial tools lists that aren't obviously commercial until you visit the website. Given that this is the Open Web Application Security Project, I think that the emphasis should be on open source tools, and that where anything commercial is linked (like Burpsuite) it should be clearly marked as such.

[kingthorin]

@rbsec are you willing to tackle this?

I agree with all your points.

[rbsec]

@kingthorin I can certainly have a stab at some initial cleanup. What do you think about adding (commercial) for any tools that aren't free/open source? Or is there a better way to do it?

Longer term, I think the whole page probably needs a review - it's a bit of a mishmash of random tools, with no links back to the specific testing guidance, and lots of things missing - so I guess a decision needs to be made about what should be included in it and what the purpose of that page is. But that's a much bigger project than just tidying up what's there.

[kingthorin]

Adding a commercial chunk seems good, and yes I agree a clear direction for the future makes sense.

[rbsec]

Thinking about it, I'm not really sure whether this kind of page should include commercial tools at all. This is part of the Open Web Application Security Project, and recommending tools that cost thousands (or even tens of thousands) of pounds isn't really in the spirit of that. It also opens up a load of questions about which commercial tools get included (who can then claim to be "recommended by the OWASP WSTG" or "endorsed by OWASP") - which probably isn't something that's intended.

In many ways, I think it would be best to keep this appendix to just free (ideally FOSS) tools?

[kingthorin]

I'm totally good with dropping anything commercial.

[rbsec]

@ThunderSon are you happy with commercial tools being removed?

[ThunderSon]

Yes. Please take them out.

Rationale:

1. We don't use any of them while describing any of our tests.
2. We are not testing nor verifying our recommendations as we can't get a hold of them.
3. The more we put, the more security orgs will want to simply contribute their tools, which won't help anyone.
4. This guide is focused to help anyone do web testing, and this doesn't.

Edit: This is content for another project as well. Just like there is a list of all SAST tools in a special project, this is similar in a way. Not for us to handle or manage.