One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.
XSS-Me is a Firefox add-on that loads in the sidebar. It identifies all the input fields on a page and iterates through a user provided list of XSS strings: opening new tabs and checking the results. When this process completes you get a report of what attacks got through, what didn’t, and what might have. The upcoming 0.3 version will use heuristics to determine what characters can be used and automatically skip attack strings that won’t get through.
The SQL Inject-Me works almost exactly the same way. It does require a little planning though: you need to tell it what you expect the results page to look like when an attack gets through.
The newest tool, Access-Me, surfs along with you while you’re authenticated to a website and checks whether you can see the same page unauthenticated.