Wireshark is a free and open-source packet analyzer. It is extensively used for network analysis, sniffing, network troubleshooting and communications protocol development. It is very popular in the academia as well as in the industry. It allows the user to see all traffic being passed over the network.

We have used this tool extensively in all of our research.

Click here to download Wireshark.


Firebug is an add-on for Mozilla Firefox which is a popular and powerful web development tool. Using Firebug, you can inspect HTML and modify style and layout in real-time. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page

Click here to download Firebug.


Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, intercept, and “fiddle” with incoming or outgoing data. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, and Opera.

Click here to download Fiddler.


HTTPFox monitors and analyses all incoming and outgoing HTTP traffic between the browser and the web servers. The advantage this tool has over Wireshark is that it runs in the same application space as the browser and is easier to start up for quick analysis.

Click here to download HTTPFox

DAttack Tool

DAttack tool is a dictionary attack tool developed by Vrinda Halankar, from NITK, Surathkal. This tool was used by us to study the effects of a dictionary attack on various bank websites in order to understand and analyse their security policies for User ID and password protection. The tool maintains a list of User IDs and passwords and then sends login requests for each User ID along with all the passwords available in the list. It can perform this attack either in the brute force mode or customised as per the attacker.

Click here to download DAttack Tool.


Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. Exploit-Me tools are designed to be lightweight and easy to use.

SQL Inject Me

SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is Firefox Extension used to test for SQL Injection vulnerabilities. The SQL Inject-Me tool allows the user to test their web applications against common SQL Injection vulnerabilities.

The tool tests by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.

The tool does not attempt to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

Click here to download SQL Inject Me from mozilla website.
Click here to download SQL Inject Me from securitycompass.com


The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. For instance, if the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string.

The tool does not attempt to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

Click here to download XSS Me from mozilla website.
Click here to download XSS Me from securitycompass.com


Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is the Exploit-Me tool used to test for Access vulnerabilities. The tool works by sending several versions of the last page request. A request with the session removed will be sent. A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A combination of session and HEAD/SECCOM will also be sent.

Click here to download Access-Me.

Password Managers

A password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or files that hold the encrypted password data. Many password managers also work as form filler, thus they fill the user and password data automatically into forms. These are usually implemented as a browser extension. Password managers are of following three types:

  1. Desktop – desktop software storing passwords on a computer hard drive.
  2. Portable – portable software storing passwords and program on a mobile device, such as a PDA, smart phone or as a portable application on a USB stick such as U3 or similar.
  3. Web based – Online password manager where passwords are stored on a provider’s website.

Password Safe

Password Safe is a free open-source program for storing. After filling in the master password the user has access to all account data entered and saved previously. The data can be organized by categories, can be sorted and searched. This windows utility was designed by Bruce Schneier, a leading voice among security experts. We highly recommend the use of this application.

Click here to download Password Safe.

Password Strength Applications – Microsoft Online Safety Password Checker

When a user selects a password, it is always recommended to check the strength of the chosen <>password and use a strong password. In chapter 1 section 4, there are links of websites providing online password strength applications. For the purpose of our tests we have used the following web application to draw a base line for minimum strength.

The password ‘Abcd1234%^&*@#90yuiop’ was rated as best by this password meter.

The following links redirects to various password meters available online.

    1. microsoft passwordmeter
    2. passwordmeter.com
    3. yetanotherpasswordmeter.com
    4. geekwisdom.com

Netcraft Anti Phishing Toolbar

The Netcraft Anti Phishing Toolbar uses Netcraft’s enormous databases of web site information to show all the attributes of each site visited on the Web, including the sites’ hosting location, country, longevity and popularity.

Click here to download Netcraft Anti Phishing Toolbar.


Ginger proxy was the proxy used by us to cover our IP trails. Some tests were routed via the proxy to the banks website. The proxy is required to keep us anonymous by providing a different random IP address to prevent IP filters to block our access.

Click here to visit GINGER Proxy website.

HTTPattack Tool

HTTPattack tool is used to simulate the number of clients accessing the website simultaneously in a given instant of time. It can be used to simulate a heavy load on a server to test its strength or to analyse overall performance under different load types. It can also be used to test the strength of DDoS countermeasure which is incorporated in the website whether it can withstand under heavy load or not. It will accept input as a set of URLs (uniform resource locator) and then it starts sending requests to each URL in circular fashion. It does not wait for the response after sending the request rather it simply switches to send next request, but it will create one thread to receive that response, so for each request the corresponding thread is created and that is responsible to receive the response. In the similar fashion, it can send maximum number of request in less time interval. When tool starts running, after every 5 seconds it shows the updated value and draws the graph. This will help the user to analyse whether the success rate is high or failure rate is high in a given duration of time and whether the tool is running properly or not.

Click here to download HTTPattack tool.

Rapport tool

Rapport is a security software application that provides online identity theft and online transaction protection for consumers. Rapport can be used to protect your web browser sessions with any website that contains private or personal information. Examples include:

- Online bank accounts
- Mutual fund accounts
- Online brokerage accounts
- Email (such as Hotmail, Yahoo! Mail, and Gmail)
- Social networking sites (such as Facebook, Myspace, Orkut, and Linkedin)
- Insurance applications
- Personal medical information
- Online merchants (such as eBay, Amazon, Walmart.com, and Target.com)

Rapport protects you against the following threats:

1. KeyLogging.
2. Malicious Browser Add-ons
3. Malicious Programs
4. Screen Shooting
5. Session Hijacking
6. Phishing
7. Pharming or DNS Spoofing

Rapport is entirely transparent and does not require any configuration or maintenance; simply install and browse safely. Rapport further protects specific identities and sessions.

Click here to download Rapport tool.


Comments are closed.

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 52436 items have been purified.