Is there any service, or test suite or something which I can run against my site and expose any major security flaws. I don't expect I'll need to worry about hackers, but I want to eliminate security risks which can easily be exploited. i.e. SQL injection, cross site scripting etc..
You can use skipfish to detect XSS/SQLi vulnerabilities. It can be pretty hard on servers (brute forcing stuff, generating lots of requests), so you may want to read about its options/flags.
For SQL injection, sqlmap is pretty good in finding and exploiting SQL injections. Definitely worth a try.
I regularly use both of these tools for my penetration tests and they are pretty good at finding meaningful stuff.
Try this for sql injection testing, it's the one i prefer
Havij v1.15 Advanced SQL Injection
http://www.itsecteam.com/en/projects/project1.htm
Take a look at the ASafaWeb analyzer for ASP.NET web sites. (If ASP.NET is applicable to you... )
It doesn't do SQL Injection attacks, but nevertheless useful.
It's written by Troy Hunt, and make sure you listen to the Dotnetrocks.com episode 735 where he was interviewed.
Related
I need to verify the safety of my website. Do you know some tools for testing website safety i.e. sql injection, xss, .... ?
Can you recommend the best way to verify safety?
This sounds more like a question for Webmasters.SE or Security.SE rather than SO. But anyways...
There are many freely downloadable website vulnerability testers. I personally have used https://www.netsparker.com/communityedition/ and it caught some SQL mistakes in code from our contractor.
There are many PHP frameworks available for PHP namely -
Zend
CakePHP
CodeIgniter
Symfony
and so on....
Which are the security related issues taken care of by most of the frameworks ?
( As far as i know ( Cross-site scripting (XSS)) vulnerability is handled by most of them if we use there methods. What are the other issues taken care by most of them ? )
Along with usage of framework in a project, what are other security concerns needs to be taken care of ?
EDIT: In my case i am using codeigniter framework.
[spam]
I've created a little overview table a while back: http://matrix.include-once.org/framework/ which includes a few summaries about the basic cornerstones of web app security:
DB escaping / or parameterized SQL (e.g. via ORMs)
input filtering / sanitization
output encoding
authorization hash function (if any)
separation of frontend and admin backend (not completed, mostly n/a)
If I wanted to generalize, the big frameworks do indeed cover a lot of that. So the real issues become logical oversights in the business/processing layer.
Well this is a bit of a vague question as it entirely depends on what framework you are talking about.
All of the frameworks you have listed use a database abstraction layer of some sort, be it a simple query builder or a larger ActiveRecord/ORM implementation. These database abstraction layers will stop SQL injection most of the time.
CodeIgniter provides a Encrypt class which will help you generate passwords and random strings. In your main config file is an "encryption key" which will be specific to your application. This means your application will have a unique salt to another application, so if somebody gets a copy of/access to your database they won't be able to work out the passwords.
There are plenty of other security features specific to each framework, but those are the basics.
No matter how much attention and thought has gone into making sure a PHP framework is secure, the reality is that there is always room for improvement and even though frameworks like Codeigniter provide XSS, input filtering, request validation, database abstraction and other nice things, there will always be bugs and issues.
Never solely rely on a framework's in-built security protection methods. Always read into how a framework does something, understand the logic and then rewrite to meed your needs if you find something isn't as secure as it should be.
However, having said the above, I have been using Codeigniter for a few months and in a couple of high-end, high-trafficked websites and can't say that I have experienced any security issues or breaches. The one true advantage of a framework when it comes to security is that they're probably protecting you from some kind of attack you never knew existed in the first place (which is an awesome bonus).
Read into how Codeigniter and other frameworks solve security issues and protect your applications, you'll find it will strengthen your development knowledge and benefit you in the future when you write large-scale applications that require tough security and high reliability.
I have site and would like to test how it can resist hacker's attack like some kinds of injections, DDOS etc?
Thanks
Check out BackTrack, it's a security oriented linux distribution that comes with a miriad of differnt tools to attempt to penetrate your site's security.
http://www.backtrack-linux.org/
It's also an excellent tool to check general security on home/office networks.
Good luck!
EDIT: You might also want to check out: http://www.metasploit.com/
It's an excellent exploit fraimwork that will allow you to test and retest your server with everything you can possibly think of!
This may sound like a weird question but is there any where I can download a website that is vulnerable to sql injection the url kind not login bypass?
I'm making a vulnerability scanner and I want to learn some SQLi so i can include it in my project.
Thanks, it doesn't need to be fancy. Just enough to practice on.
OWASP WebGoat is the usual example. Includes SQL injection vulnerabilities.
No, you cannot download their site to test for injection vulnerabilities. You need to download their whole DB and configs to do what you are saying. If you want to benevolently go checking the security of various sites, you have to ask them about their system and model it on your own. OWASP works on systems not recently updated with patches, like the comment of tackline-its a first port.
OWAPS's WebGoat is an application that is built to be vulnerable to attack, it is a simulation of real world vulnerabilities. The Whitebox is a collection of real world vulnerabilities, it has 2 web applications that where abandoned because the applications where so insecure. It also has a set of challenges there are vulnerable code snips taken from real world applications. This project has real world sql injection as well more serious vulnerabilities.
Try scanning the vulnerable apps with Wapiti (open source) or Acunetix ($) or NTOSpider($$$). Then try using the applications, create blog posts ect, and then scan it again.
Also check out Damn Vulnerable Linux and Google Jarlsburg.
Anyone have suggestions for security auditing of an .NET Web Application?
I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.
EDIT:
To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.
The point of an audit would be to independently verify the security that was implemented by the team.
BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...
Best Thing to do:
Hiring a security guy for source code analysis
Second best thing to do hiring a security guy / pentesting company for black-box analysis
Following tools will help :
Static Analysis Tools Fortify / Ounce Labs - Code Review
Consider solutions such as HP WebInspects's secure object (VS.NET addon)
Buying a blackbox application scanner such as Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or free version of Netsparker
Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.
Anyone in your situation has the following options available:
Code Review,
Static Analysis of the code base using a tool,
Dynamic Analysis of the application at run time.
Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).
However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.
To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.
One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.
Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application
Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.
The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.
Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).
If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.
We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.
May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...