is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.
CAL9000 is a collection of nine tools that are used to test web applications for security vulnerabilities, specifically cross-site scripting. You can use some of these tools to test other types of vulnerabilities, but the main focus of this toolkit is the cross-site scripting. In this section, we'll take you through the interface CAL9000 and describe each of the below nine tools:
- XSS Attacks
- HTTP Requests
- HTTP Responses
- Scratch Pad
- Cheat Sheets
- Misc Tools
Show the tool XSS Attacks. This is a dictionary of known XSS Attacks. Click one of the attacks listed in the menu on the left side of the screen, as shown in
- XSS Attacks - This is a listing of the XSS Attack Info from RSnake. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
- Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
- Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
- Scratchpad - A place to save code snippets, notes, results, etc.
- Cheatsheets - Collection of references for various web-related platforms and languages.
- IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
- String Generator - Create character strings of almost any length.
- Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
- Testing Tips - Collection of testing ideas for assessments.
- Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
- AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
- Store/Restore - Temporarily hold and retrieve textarea and text field contents.
- Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
- Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.
HTTP REQUESTS / RESPONSE :
SCRATCH PAD :
CHEAT SHEETS :
MISC TOOLS :
For more information:
OWASP CAL9000 Project
Securing PHP Web Applications
Web Application Security com CAL9000
Download Link :
LATEST RELEASE - Version 2.0 released November 16, 2006. See the OWASP CAL9000 Project Roadmap for release notes.
- The latest release has been incorporated into the OWASP LiveCD project
- Click here to view the CAL9000 source code.