reedphish

puncturing security, development and life. Stay on the right side of the law.

Tools of my trade

These are some of my tools I use at work

jmeterlogo

Apache JMeter isn’t my main tool when doing performance tests, but in certain situations it comes handy. Especially in locked down environments. I use it to simulate heavy loads on the web servers we deploy to at work. By using this tool I can easily spot error situations, pages that crumbles under heavy load and general bloopers our developers has made. JMeter offers a GUI for easy setup of testplans and a in general smooth interface for daily use managing the testplan/tests. Most often I run it in GUI mode but there are also occasions where I need to run it in a distributed setting in CLI mode. One great things is that is is written in Java, thus it is cross platform compatible. On top of this I also, on occasion, I pair it with Blazemeter. Blazemeter is an online service offering a “run” tool for running bigger tests than from my localhost.

For further information see their respective homepage:

neoload_logo

Another load testing tool with great capabilities. This tools is slightly different from JMeter since it features extended functionality and a really easy to use GUI.

Xdebug

XDebug is a tool for debugging and profiling of PHP applications. It is provided as a extension for PHP. I mostly use it for profiling webpages we produce at work. XDebug is capable of providing output from profiling which I can open in KCacheGrind. KCachegrind is tool used for visualizating profiling data from XDebug. It runs under Linux (as far as I know).

Slowfox

This is a tool that I wrote during spring 2013. It is a PHP based web gui sitting on top of  and communicating with YSlow.js. YSlow.js is a Javascript port/version of the famous YSLow browser extension which I previously used for analyzing page performance. I could’ve continued using the YSLow browser plugin but I decided to write a better GUI to support the reports which I have to provide my employer.

burpsuite

I am using the free edition. For the most part I am using it as an intercepting proxy together with Foxyproxy for Firefox.

acunetix-big-logo

Acunetix is a tool that lets you scan your application and services looking for vulnerabilities. It’s a great product in the stiffer price range – but it is worth it if you know how to utilize it.

owasp_zap

OWASP Zap is a freely available vulnerability scanner. It works great and it compares to Acunetix. However – from what I’ve seen Zap does not find the same amount of vulnerabilites as Acunetix. But close.

Various CLI tools

Over the years I have written many CLI scripts in Ruby, Python and PHP to support my daily workflow. They range from header sniffing tools, network sniffers, fuzzers, MYSQL bruteforcers and whatnots. It is highly unlikely I would ever release them into the wild due to their nature.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: