OWASP - Phoenix/Tools 다양한 분석도구 팁

OWASP 에서 친절하게 다양한 도구들을 분류해 놓았다.

여기에 있는 도구들을 사용하고 사이트들에 대하여 방문만 하여도 족히 한달은 걸리지 않을까 싶다.
참고용으로 보기에는 좋은 정보인 듯 하다.
예전에도 이런 노가다 성 작업을 좀 했었는데, 이런 사이트가 있으면 노가다를 좀 덜어주니 참 고맙군. ㅋ

Phoenix/Tools

From OWASP

Jump to: navigation, search

Please send comments or questions to the Phoenix-OWASP mailing-list.

LiveCDs
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/

Test sites / testing grounds
SPI Dynamics (live) - http://zero.webappsecurity.com/
Cenzic (live) - http://crackme.cenzic.com/
Watchfire (live) - http://demo.testfire.net/
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/

HTTP proxying / editing
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp - http://www.portswigger.net/
Paros - http://www.parosproxy.org/
Fiddler - http://www.fiddlertool.com/
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru - http://www.sensepost.com/research/suru/
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/
Charles - http://www.xk72.com/charles/
Odysseus - http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/

RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools
Wfuzz - http://www.edge-security.com/wfuzz.php
ProxMon - http://www.isecpartners.com/proxmon.html
Wapiti - http://wapiti.sourceforge.net/
Grabber - http://rgaucher.info/beta/grabber/
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz - http://sourceforge.net/projects/jbrofuzz
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression! filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression!-filter
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml
RFuzz - http://rfuzz.rubyforge.org/
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/
WSTool - http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743

HTTP general testing / fingerprinting
Wbox: HTTP testing tool - http://hping.org/wbox/
ht://Check - http://htcheck.sourceforge.net/
Mumsie - http://www.lurhq.com/tools/mumsie.html
WebInject - http://www.webinject.org/
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/
Load-balancing detector - http://ge.mine.nu/lbd.html
HMAP - http://ujeni.murkyroc.com/hmap/
Net-Square: httprint - http://net-square.com/httprint/
Wpoison: http stress testing - http://wpoison.sourceforge.net/
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp
Nikto - http://www.cirt.net/code/nikto.shtml
twill - http://twill.idyll.org/
DirBuster - http://www.sittinglittleduck.com/DirBuster/
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html

Browser-based HTTP tampering / editing / replaying
TamperIE - http://www.bayden.com/Other/
isr-form - http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/

Cookie editing / poisoning
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx

Ajax and XHR scanning
Sahi - http://sahi.co.in/
scRUBYt - http://scrubyt.org/
jQuery - http://jquery.com/
jquery-include - http://www.gnucitizen.org/projects/jquery-include
Sprajax - http://www.denimgroup.com/sprajax.html
Watir - http://wtr.rubyforge.org/
Watij - http://watij.com/
Watin - http://watin.sourceforge.net/
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
xxJavascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/
Firebug Lite - http://www.getfirebug.com/lite.html
firewaitr - http://code.google.com/p/firewatir/

RSS extensions and caching
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/

SQL injection scanning
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap - http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS - http://www.priamos-project.com/

Web application security malware, backdoors, and evil code
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Jikto - http://busin3ss.name/jikto-in-the-wild/
XSS Shell - http://ferruh.mavituna.com/article/?1338
XSS-Proxy - http://xss-proxy.sourceforge.net
AttackAPI - http://www.gnucitizen.org/projects/attackapi/
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/
BeEF - http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/
What is my IP address? - http://reglos.de/myaddress/
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval
Technika - http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/

Web application services that aid in web application security assessment
Netcraft - http://www.netcraft.net
AboutURL - http://www.abouturl.com/
The Scrutinizer - http://www.scrutinizethis.com/
net.toolkit - http://clez.net/
ServerSniff - http://www.serversniff.net/
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit - http://www.webmaster-toolkit.com/
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding - http://h4k.in/encoding
data: URL testcases - http://h4k.in/dataurl

Browser-based security fuzzing / checking
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider - http://labs.idefense.com
bcheck - http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7
xxJavascript Website Login Checker - http://ha.ckers.org/weird/xxjavascript-website-login-checker.html
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1

PHP static analysis and file inclusion scanning
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit

Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids - http://code.google.com/p/dotnetids/
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/
mod_security rules generator - http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense - http://akismet.com/
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/

Web services enumeration / scanning / fuzzing
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c
Net-square: wsChess - http://net-square.com/wschess/index.shtml
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html

Web application non-specific static source-code analysis
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list - http://spinroot.com/static/

Static analysis for C/C++ (CGI, ISAPI, etc) in web applications
RATS - http://www.securesoftware.com/resources/download_rats.html
ITS4 - http://www.cigital.com/its4/
FlawFinder - http://www.dwheeler.com/flawfinder/
Splint - http://www.splint.org/
Uno - http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind - http://www.valgrind.org/

Java static analysis, security frameworks, and web application security tools
HDIV Struts - http://hdiv.org/
Orizon - http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/
PMD - http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/
EMMA - http://emma.sourceforge.net/
JLint - http://jlint.sourceforge.net/
Java PathFinder - http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle - http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver
tinapoc - http://sourceforge.net/projects/tinapoc
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex - http://solex.sourceforge.net/
Java Explorer - http://metal.hurlant.com/jexplore/
HTTPClient - http://www.innovation.ch/java/HTTPClient/
another HttpClient - http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html

Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf

Threat modeling
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php
Octotrike - http://www.octotrike.org/

Add-ons for Firefox that help with general web application security
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/
Public Fox - https://addons.mozilla.org/firefox/3911/
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab - https://addons.mozilla.org/firefox/1419/
User-Agent Switcher - https://addons.mozilla.org/firefox/59/
ServerSwitcher - https://addons.mozilla.org/firefox/2409/
HeaderMonitor - https://addons.mozilla.org/firefox/575/
RefControl - https://addons.mozilla.org/firefox/953/
refspoof - https://addons.mozilla.org/firefox/667/
No-Referrer - https://addons.mozilla.org/firefox/1999/
LocationBar^2 - https://addons.mozilla.org/firefox/4014/
SpiderZilla - http://spiderzilla.mozdev.org/
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter - https://addons.mozilla.org/firefox/3208/

Add-ons for Firefox that help with xxJavascript and Ajax web application security
Selenium IDE - http://www.openqa.org/selenium-ide/
Firebug - http://www.joehewitt.com/software/firebug/
Venkman - http://www.mozilla.org/projects/venkman/
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey - http://www.greasespot.net/
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/

Bookmarklets that aid in web application security
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html
BMlets - http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of xxJavascript to provide rich functionality - http://www.blummy.com/
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/

SSL certificate checking / scanning
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/

Honeyclients, Web Application, and Web Proxy honeypots
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/
Google Hack Honeypot - http://ghh.sourceforge.net/
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/
SpyBye - http://www.monkey.org/~provos/spybye/
Honeytokens - http://www.securityfocus.com/infocus/1713

Blackhat SEO and maybe some whitehat SEO
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) - http://www.seoquake.com/

Footprinting for web application security
Evolution - http://www.paterva.com/evolution-e.html
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/
Edge-Security tools - http://www.edge-security.com/soft.php
Fierce Domain Scanner - http://ha.ckers.org/fierce/
Googlegath - http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/

Database security assessment
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/

Browser Defenses
DieHard - http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) - http://www.noscript.net/
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/
Adblock (Firefox Add-on) - http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) - http://www.safecache.com/
SafeHistory (Firefox Add-on) - http://www.safehistory.com/
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper - http://firekeeper.mozdev.org/

Browser Privacy
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/
Privacy Bird - http://www.privacybird.com/

Application and protocol fuzzing (random instead of targeted)
Sulley - http://fuzzing.org/
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/
autodafe: an act of software torture - http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

컴퓨터 보안

⑴ 인터넷과 보안

• 인터넷과 개방된 구조를 가지고 있기 때문에 보안에 문제가 발생할 가능성이 높음
• 인터넷의 급속한 팽창으로 인해서 네트워크 해킹이 사회 문제화되고 있음
• 각 기관은 실정에 맞는 보안 정책을 수립하고, 보안 시스템을 구축할 필요가 있음
• 보안은 컴퓨터 시스템에 직접 침투하는 것을 방지하는 시스템 보안과 자료들에 대한 침투를 방지하는 자료 보안으로 분류

⑵ 시스템 보안(System Security)

• 컴퓨터 시스템의 운영체제, 응용 프로그램, 서버 등의 허점을 이용해서 불법적으로 사용하는 것을 방지하는 것
• 주로 방화벽을 설치해서 보안 시스템을 구축

   1) 방화벽(Firewall)란?

• 내부의 신뢰성 있는 네트워크와 외부의 신뢰성 없는 네트워크 사이에 위치
• 외부의 불법 침입으로부터 내부의 정보 자산을 보호하고 외부로부터 유해 정보를 차단하기 위한 정책과 이를 지원하는 하드웨어와 소프트웨어를 총칭

   2) 방화벽의 기능

• 인터넷 서비스별로 정보를 요청한 시스템의 IP 주소 및 포트번호를 이용하여 외부 접속을 차단
• 사용자 인증에 기초해서 외부 접속을 차단
• 네트워크로 들어오고 나가는 패킷의 IP와 TCP 헤더를 검사하여 패킷의 통과 여부를 결정(Packet Filtering)
• 내부 네트워크 사용자들이 외부로 접속할 때 방화벽을 통과하도록 설정하여 해커가 내부의 IP 주소를 도용하지 못하도록 방지

⑶ 자료 보안(Data Security)

• 시스템에 들어있는 자료를 보호하는 것
• 자료의 전송 도중에 가로채거나, 수정하는 행위로부터 자료를 안전하게 전달하는 것을 목표로 하고 있음
• 주로 암호화나 전자 서명을 이용

   1) 침입 형태

① 가로막기(Interruption)

• 자료가 수신측으로 전달되는 것을 방해하는 행위
• 자료의 가용성(Availability)을 저해하게 됨

② 가로채기(Interception)

• 전송한 자료가 수신지로 가는 도중에 몰래 보거나 도청하는 행위
• 자료의 보안성이 떨어지게 됨

③ 수정(Modification)

• 원래의 자료를 다른 내용으로 바꾸는 행위
• 자료의 신뢰성이 손상됨

④ 위조(Fabrication)

• 자료가 다른 송신자로부터 전송된 것처럼 꾸미는 행위
• 자료의 무결성(Integrity)이 손상됨

   2) 암호화(Encryption)

• 암호키를 이용해서 정보를 바로 해독할 수 없도록 변환하는 것으로 특정인만 해독할 수 있게 하는 것
• 자료의 기밀성(Confidentiality)을 보장하는 방법
• 자료에 특정한 처리를 통해서 침입자가 자료를 입수하더라도 해당 자료의 내용을 알 수 없도록 하는 작업
• 일반적으로 암호화는 키(Key)를 사용해서 암호 자료를 생성
• 암호화에 필요한 구성 요소 : 자료, 암호화하는 키(Key), 암호화된 자료(Cryped Data), 암호화된 자료를 원래의 자료로 복원시키는 키
• 암호화의 종류 : 개인키(Private Key)와 공개키(Public Key)등

  ■ 암호화 원칙

  • 신원 확인(Identification) : 송신자가 실제로 그 사람인지를 확인하는 과정
  • 인증(Authentication) : 암호문의 원래 송신자를 확인하고 메시지 전문이 제대로 전달되었는지 확인하는 절차
  • 발신자 확인(Nonrepudiation) : 송신자가 전송한 사실을 부인할 수 없도록 하는 방법
  • 확인(Verification) : 신원 확인과 인증을 한 번에 처리하는 기능
  • 개인정보 보호(Privacy) : 정보 전송시 해킹으로부터 보호할 수 있는 기능

  ■ 암호방식의 종류

  ① 비밀키(단일키, 대칭형)

  • 암호화하는 키와 암호화된 자료를 복호화하는 키가 동일한 방식
  • 장점 : 암호화와 복호화 속도가 빠르고 다양한 암호화 기법이 개발
  • 단점 : 여러 사용자가 동일한 자료를 사용할 때 키의 공유 문제가 발생

  ② 공개키(이중키, 비대칭형)

  • 암호화 키와 복호화 키를 별도로 사용하는 방식
  • 비밀키 암호 방식으로 암호화한 자료를 전송할 때 수신자에게 키까지 보내야 하는데, 해당 키를 보호할 방법이 없다는 문제의식에서 개발
  • 장점 : 키 관리가 용이하며 전자 서명으로 사용 가능
  • 단점 : 알고리즘이 복잡하고 속도가 느림
  • 종류 : RSA(Rivert-Shamir-Adleman), LUC(Lucas)

■ 주요 용어

• 비밀키 : 평문을 암호화 알고리즘에서 암호화하기 위해서 사용되는 키
• 암호문(Ciphertext) : 평문을 암호화 알고리즘을 사용해서 암호화한 자료
• 복호(Decryption) 알고리즘 : 비밀키를 사용해서 암호문을 원래의 평문으로 변환시키는 것으로 암호화 알고리즘과 역으로 작동
• 공개키(Public Key)와 비밀키(Private Key) : 암호화하는데 사용되는 키와 복호화에 사용되는 키를 분리시킴

   3) E-mail에서 사용되는 보안

• 기밀성(Confidentiality) : 해당 수신자 이외의 사람은 내용을 볼 수 없게 하는 기능
• 메시지 인증(Message Integrity) : 메시지 전송 도중에 불법적으로 변경되었는지를 확인해주는 기능
• 사용자 인증(User Authentication) : 송신자가 실제로 메시지를 송신한 사람과 일치하는지 여부를 확인해주는 기능
• 송신부인 방지(Nonrepudiation of Origin) : 송신자가 메시지를 송신하고 송신 사실을 부인하는 것을 확인해주는 기능
• 수신부인 방지(Nondeniability of Receipt) : 메시지를 수신하고 수신 사실을 부인하는 것을 확인해주는 기능
• 메시지 재전송 방지(Message Reply Prevention) : 중간에 지나가는 메지시를 가로채서 재전송하는 것을 방지해주는 기능

   

  암호화의 종류 PEM(Privacy Enhanced Mail) : E-mail을 전송하기 전에 자동으로 암호화하는 방법을 제공하며, RSA 방식을 사용해서 암호화 PGP(Pretty Good Rrivacy) : E-mail에서 필요한 보안 기능 중에서 기밀성, 메시지 인증, 사용자 인증, 송신부인 방지 기능을 지원

   4) 디지털 서명

• 메시지를 송ㆍ수신하는 당사자간에 메시지의 신뢰성을 보증하기 위한 방법
• 메시지에 송신자의 신분을 보증하는 내용을 추가해서 암호화하는 방식
• 주로 공개키 암호 방식을 이용
• 기능 : 사용자 및 메시지 인증 기능, 송신 및 수신부인 방지 기능

⑷ 웹(Web)에서의 보안

   1) 일반적인 WWW 보안 메커니즘

• IP 주소 인증 : 웹서버를 설치할 때 서버에 접속할 수 있는 IP 주소 혹은 도메인명을 지정해서 설치하는 방법으로 해당되는 IP 주소 이외에는 접근이 불가
• 기본적인 인증 : 사용자 ID와 비밀번호를 사용해서 접근 허락 여부를 판단하는 방법
• Massage Digest 인증 : 사용자 ID와 비밀번호를 암호화해서 기본적인 인증의 문제점을 해결하려는 방법

   2) 프로토콜을 이용한 보안

• S-HTTP(Secure-HTTP) : HTTP로 주고받는 자료에 대한 암호화와 디지털 서명을 지원
• SSL(Secure Socket Layer) : 넷스케이프의 암호화에 사용하는 프로토콜로 전송 계층에서 수행되는 암호화 방식이기 때문에 HTTP뿐만 아니라 다양한 서비스(NNTP, SMTP, Telnet, FTP, Gopher 등)에서도 사용할 수 있는 장점이 있음
• SEA(Security Extension Protocol) : S-HTTP의 기능을 수용하면서 구현은 W3C에서 제안한 PEP(Protocol Extension Protocol)을 이용하는 형태
• STT(Secure Transaction Technology) : 마이크로소프트와 비자(VISA)가 개발한 프로토콜