Open Source Java Software Testing Tools

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application.

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

It's a tool for testing HTTP servers and Web applications. It supports HTTP/HTTPS protocols, GET,POST and HEAD methods, HTTP proxies, refferes and cookies. It's like HTTP Debugger in network tool AccessDiver or HAS.

A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. Visit WAVSEP homepage to learn more: https://code.google.com/p/wavsep/ The project includes the following test cases: Path Traversal/LFI: 816 test cases (GET & POST) Remote File Inclusion (XSS via RFI): 108 test cases (GET & POST) Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST) Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST) Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST) Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)

The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. If you'd like to download the V3.0 VM, you can download it from github: https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 Try it live: https://owasp.securityshepherd.eu Raise issues here: https://github.com/markdenihan/owaspSecurityShepherd/issues More Info here: https://www.owasp.org/index.php/OWASP_Security_Shepherd

Pure-Java cryptographic calculator, featuring basic arithmetic operators, cryptographic operations, multiple key file formats and edition of ASN.1 object files.

DENRIT allows remote administration of anonymous networks (TOR, I2P and FreeNet). Also, contains a pentesting module to execute commands using a selected anonymous network, pentesting with TOR or TCP Follows a client/server model with well-defined communication interfaces. SSH is used to allow remote clients to access the machine and manage any anonymous network that is installed there, plus allows penetration testing anonymously (or non-anonymously) using tools such as Metasploit Framework, nmap, nikto, among others. The list of supported applications will grow as the project progresses. Until now, this project is under development and is very unstable (and some features aren't included). But I've been developing constantly and I think that soon this software will become stable and very useful to pentesters, hackers and researchers (I hope so!) Well, you can see the wiki page and the presentation exposed in the download section if you want more information about this project.

Automated Fuzztests for JUnit

IdMUnit is an xUnit automated testing framework for Identity Management solutions.

Publish your junit test report in pdf format. Plug and Play integration. Home page: http://junitpdfreport.sourceforge.net/

A test framework for penetration testing Java classes and methods with randomized parameters and testing the results.

JAva Fault Injection and MONitoring tool

The project Jaulp is jet another utility library project written in Java. It contains utility classes for Date ,Calendar, Collections, Resources, Files, IO for Random data, and many more. This is the last version for this project.

PTestUnt is a unit based framework for testing web application vulnerabiltites. Requires ANT, JUnit and HttpUnit.

Project37 is a model-driven software application that uses an XML schema to generate security services which can be used to alter GUI forms or XML data sets.

SPIZD stands for Stress Probing Invasive Zap Destructor; it's a command-line stress test tool used to determine how many simultaneous (concurrent) connections servers can handle. Protocols: http, pop3, pop3s, imap, imaps, smtp, smtps, ssh, radius.

THE STP CODE HAS MOVED TO GITHUB. THE CODE HERE IS STALE. PLEASE CHECKOUT THE FOLLOWING WEBSITE: http://stp.github.io/

Sanshi is HTTP requests generator. You can use Sanshi as a web application security test tool. It can find vulnerabilities automatically.

SecFlow - Secure Flow Analyzation for Java and .NET

This library has a package of useful methods to help the development of automated tests for Java applications.

Implemented in Java, WebXSSDetector is an automated, open-source testing tool for detecting Cross-Site Scripting Vulnerabilities on Web applications.

A suite of source and binary programs to test the capabilities of code analysis tools. A reference implementation of x86 binary analysis in C# is also included.

This package is a suite of tools meant to allow for the low-level manipulation of Java classes and Java Archive (JAR) files in a hostile environment.