Web application security testing [closed] - security

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
We are developing a web application using Spring framework and Hibernate ORM. As far as application security is concerned we are using acegi to provide authentication and authorization support.
Now about user input sanitation, we have tried to take take care about attacks like XSS and sql injections. We have tried to use as much as prepared statements and hibernate criteria for database updates and queries. Inputs are sanitized for javascript also.
For testing these we have tried to use tools like Firebug, Tamper IEand Fiddler2 etc.
We have also used tools like Watch Mouse to do vulnerability tests.
What are the other tools available for web application security and what are the things to be considered before starting a web applications security testing.
Thanks you

HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.

You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.
The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.

You can use AppScan, but its not free.

Burpsuite is an amazing tool for web application testing.
I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.

I agree with those who have encouraged you to look to an outside pen testing firm, if you want the best results now.
That said, one of the best all-around web app pen testing tools I have used is Burp Suite (portswigger.net). There is a free version that gives you most of the functionality, but investing $400 in the Pro version, which adds a vulnerability scanner and the ability to save state, is well worth it.
In addition, you should become very familiar with the OWASP organization (owasp.org), and the information/tools they make available for web app security. The Cheat Sheets and the Testing Guides can be very helpful, if you know how to use them.
Finally, if you are determined to build up your own application security team, then you should consider hiring some folks with extensive application security experience as well as a background in software development. There is more to application security than security testing. Static security code analysis and threat modeling are just two of the other areas you should be thinking about.

Related

Hacking training simulator [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I've never tried to hack sites. I've just followed security guidelines. Now I want to try to develop more safety.
Is there are any "training sites" with holes and "exercises", with SQL injections, redefining global variables, XSS and other kind of holes. Kind of hacker sandbox.
Pop across to this question on vulnerable Operating Systems at Security Stack Exchange or this one on vulnerable servers for penetration testing (especially this answer which has an awesome list)
We have a few questions around this topic or Security Education in general, adn as a growing resource for IT and Information Security it could be well worth you popping over.
Snippet of content from over there:
http://www.irongeek.com/i.php?page=security/wargames
WebGoat. WebGoat is a set of
deliberately insecure Java server
pages
http://www.hackthissite.org/
http://www.smashthestack.org/wargames.php
from their FAQ
The Smash the Stack Wargaming Network hosts several Wargames. A
Wargame in our context can be
described as an ethical hacking
environment that supports the
simulation of real world software
vulnerability theories or concepts and
allows for the legal execution of
exploitation techniques. Software can
be an Operating System, network
protocol, or any userland application.
Blockquote
http://www.astalavista.com/page/wargames.html
http://www.governmentsecurity.org/forum/index.php?showtopic=15442
http://www.overthewire.org/wargames/
the list is long... some are up, some
not...
Update 26 Feb 2011, i found a nice
post from
http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html
. Some links might be broken. I copy
from there:
Holynix Similar to the de-ice Cd’s and
pWnOS, holynix is an ubuntu server
vmware image that was deliberately
built to have security holes for the
purposes of penetration testing. More
of an obstacle course than a real
world example.
http://pynstrom.net/index.php?page=holynix.php
WackoPicko WackoPicko is a website
that contains known vulnerabilities.
It was first used for the paper Why
Johnny Can’t Pentest: An Analysis of
Black-box Web Vulnerability Scanners
found:
http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf
https://github.com/adamdoupe/WackoPicko
De-ICE PenTest LiveCDs The PenTest
LiveCDs are the creation of Thomas
Wilhelm, who was transferred to a
penetration test team at the company
he worked for. Needing to learn as
much about penetration testing as
quickly as possible, Thomas began
looking for both tools and targets. He
found a number of tools, but no usable
targets to practice against.
Eventually, in an attempt to narrow
the learning gap, Thomas created
PenTest scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Metasploitable Metasploitable is an
Ubuntu 8.04 server install on a VMWare
6.5 image. A number of vulnerable packages are included, including an
install of tomcat 5.5 (with weak
credentials), distcc, tikiwiki, twiki,
and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Owaspbwa Open Web Application Security
Project (OWASP) Broken Web
Applications Project, a collection of
vulnerable web applications.
http://code.google.com/p/owaspbwa/
Web Security Dojo A free open-source
self-contained training environment
for Web Application Security
penetration testing. Tools + Targets =
Dojo
http://www.mavensecurity.com/web_security_dojo/
Lampsecurity LAMPSecurity training is
designed to be a series of vunlerable
virtual machine images along with
complementary documentation designed
to teach linux,apache,php,mysql
security.
http://sourceforge.net/projects/lampsecurity/files/
Damn Vulnerable Web App (DVWA) Damn
Vulnerable Web App is a PHP/MySQL web
application that is damn vulnerable.
Its main goals are to be an aid for
security professionals to test their
skills and tools in a legal
environment, help web developers
better understand the processes of
securing web applications and aid
teachers/students to teach/learn web
application security in a class room
environment. www.dvwa.co.uk/
Hacking-Lab This is the Hacking-Lab
LiveCD project. It is currently in
beta stadium. The live-cd is a
standardized client environment for
solving our Hacking-Lab wargame
challenges from remote.
http://www.hacking-lab.com/hl_livecd/
Moth Moth is a VMware image with a set
of vulnerable Web Applications and
scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Linux (DVL) Damn
Vulnerable Linux is everything a good
Linux distribution isn’t. Its
developers have spent hours stuffing
it with broken, ill-configured,
outdated, and exploitable software
that makes it vulnerable to attacks.
DVL isn’t built to run on your desktop
– it’s a learning tool for security
students.
http://www.damnvulnerablelinux.org
pWnOS pWnOS is on a “VM Image”, that
creates a target on which to practice
penetration testing; with the “end
goal” is to get root. It was designed
to practice using exploits, with
multiple entry points
http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html
http://www.krash.in/bond00/pWnOS%20v1.0.zip
Virtual Hacking Lab A mirror of
deliberately insecure applications and
old softwares with known
vulnerabilities. Used for
proof-of-concept /security
training/learning purposes. Available
in either virtual images or live iso
or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/
Badstore Badstore.net is dedicated to
helping you understand how hackers
prey on Web application
vulnerabilities, and to showing you
how to reduce your exposure.
http://www.badstore.net/
Katana Katana is a portable multi-boot
security suite which brings together
many of today’s best security
distributions and portable
applications to run off a single Flash
Drive. It includes distributions which
focus on Pen-Testing, Auditing,
Forensics, System Recovery, Network
Analysis, and Malware Removal. Katana
also comes with over 100 portable
Windows applications; such as
Wireshark, Metasploit, NMAP, Cain &
Able, and many more.
www.hackfromacave.com/katana.html
Google has just the thing, try Gruyere
This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.
If you're a Java man you should take a look at WebGoat:
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
If you're more into MySQL/PHP have a look at HackThisSite:
http://www.hackthissite.org/
I've always had a lot of fun with HackThisSite.
Acunetix provides several sites that demonstrate vulnerabilities in various technologies:
http://testphp.vulnweb.com/
http://testaspnet.vulnweb.com

Simple self-hosted website monitoring [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
I'm looking for a simple self hosted website monitoring tool.
It should be somthing similar to watchmouse.com or pimgdom.com, with a nice UI, colorful charts and so on (Customers like that :)).
At the moment we use Zabbix also for HTTP monitoring, but since now our hoster care about the hardware and software monitoring on the machine directly, we don't need Zabbix anymore.
For pure http-monitoring zabbix or an other monitoring suite is really an overkill.
So what I'm not looking for is:
Zabbix
Nagios
Hyperic
...
Sadly but the truth, after some hours of researching I wasn't able to find a fitting application. My hope is now on you.
I realize this is an old question but I was looking for something like this today and came across Cabot which is self hosted and free, and according to the project's description: "provides some of the best features of PagerDuty, Server Density, Pingdom and Nagios".
Hope this helps someone in the future.
I found this a while ago for my purposes. Nice and simple and self hosted.
You do need shell access to setup cron jobs for it so it probably won't work in a shared environment.
php Server Monitor
Hope this helps.
Peter
I had a lot of success with Groundwork in the past, It's a BEAST and does just about everything imaginable and can be configured in so many ways. It might be overkill if you are just looking for something to schedule some http responses then graph the logs.
Groundwork is more for enterprise level deployments and has both Paid and Community editions with a pretty active community behind it too.
Not sure if you have already found a solution to this or not but give a shot to Apica System's Synthetic Monitoring. You can use the full SaaS, full on-premise, or hybrid model of this system. Take a look at the free trial and if you like what you see, the full portal as well as monitoring agents (with tons of more features than the trial) can be hosted behind your firewall in your own network. As per for monitoring, you can monitor websites/mobile apps, API endpoints, DNS, etc. You can also run complex use cases and see how the web app responds using Selenium or ZebraTester scripts.
If all you want to monitor is website uptime/downtime and response time, I'd have a look at TurboMonitor - it doesn't have all the bells and whistles provided by some other monitoring websites but it's quick and accurate for those two things.
Price-wise, I wouldn't take what they have on their website too seriously. I only actually found out about them when I met them in person and they were very happy to give me a "professional" account for free, supposedly like 5€/month or something on their website.

Tools to test softwares against any attacks for programmers? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems.
this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are using to check your code against these attacks ? Is there any tools you use or you don't care ?
For example i heard about static/dynamic code analysis and fuzz testing.
SQL injection attacks
Cross Site Scripting
Bufferoverflow attacks
Logic errors
Any kind of Malwares
Covert Channels
... ...
thanks
I'm going to focus on web application security here...
Really you want to get used to manually trawling through a website/application and playing with various parameters etc. so proxy tools are of great help (they allow you to capture and interact with forms, before they reach the server):
LiveHTTPHeaders - FireFox plugin.
Burp Proxy - Java based.
Obviously there becomes a point where manually crawling a whole website becomes rather time consuming/tedious and this is where automated scanning tools can be of help.
Black box:
WebSecurify - not used it but it's been created by a well known web app security guy.
Skipfish - Google released this recently so it's probably worth a look.
And there are many other commercial tools: WhiteHat Sentinel, HP Web Inspect and probably many others I can't remember.
White box:
A lot of the academic research I've seen is related to static code analysis tools; I've not used any because they all focused on PHP only and had some limitations.
Other resources:
ha.ckers.org - great blog, with an active forum related to web app sec.
OWASP - as perviously mentioned, there are lots of insightful articles/guides/tutorials here.
If you want to learn more about manually attacking sites yourself the Damn Vulnerable Web App is a nice learning project. By that I mean, it's a web application that is written to be deliberately insecure, so you can test your knowledge of web application security vulnerabilities legally.
I wrote a black box scanner in Perl for my third year dissertation which was quite an interesting project. If you wanted to build something yourself it really just consisted of:
crawler
parser
attacker
Something that you haven't mentioned but I think is important: code reviews.
When you're just trying to implement something as fast as you can it is easy to overlook a security issue. A second pair of eyes can pick up many problems or potential problems, especially if the reviewer is experienced at spotting typical security holes.
I believe that it is possible in many cases to do manual code reviews without special tools. Just sit together at the same computer or even print out the code and do the review on the paper copy. But since you specifically asked for tools, a tool to help with manual code review is Rietveld. I haven't used it myself, but it is based on the same ideas used internally at Google (and written by the same guy, who also happens to be the author of Python).
Security is definitely a concern and developers should at least be aware of common vulnerabilities (and how to avoid them). Here are some resources that I find interesting:
OWASP Top 10 for 2010
OWASP Guide for Secure Web Applications
OWASP Testing Guide v3
There are 2 types of software defects that can cause security problems: implementation bugs and design flaws.
Implementation bugs usually appear in a specific area in the code, they are relatively easy to detect and (usually) not too complicated to fix. You can detect (most) of these with automated tools that do static code analysis (tools like Fortify or Ounce) although these tools are expensive. With that said, you still have to remember that there are no "silver bullets" and you cannot not blindly rely only on the tool output without some sort of manual code review to confirm/understand the real risk behind the issues the tool reports.
The other problem is design flaws, that's another story. They are usually complex issues that are not consequence of a mistake in the code but poor choice in the design or architecture of the application. Those cannot be identified by an automated tool and really can only be detected manually, by a code/design/architecture review. They are usually very hard and expensive to fix passed the design phase.
So I recommend, reviewing your code for implementation bugs that can have impact on security (code review using automated tools like Fortify/Ounce + manual review of tool results) and reviewing your design for security flaws (no tools for this, has to be done by someone who knows about security).
For a good read on software security and the complexity behind designing secure software, check Software Security: Building Security In, by Gary McGraw (amazon link)
I use tools to aid in the hunt for vulnerabilities, but you can't just fire off some test and assume everything is okay. When I am auditing a project I look at the code and I try and get a feel for the programmers style and skill level. If the code looks messy then chances are they are a novice and they will probably make novice mistakes.
It is important to identify security related functions in a project and manually audit them. Tamperdata is very helpful for manual auditing and exploit development because you can build custom http requests. A good example for manual auditing for PHP is: Are they using mysql_real_escape_string($var) or are they using htmlspecialchars($var,ENT_QUOTES) to stop sql injection? (ENT_QUOTES doesn't stop backslashes which is just as dangerous as quote marks for mysql, mssql is a different story.) Security functions are also places for "Logic errors" to crop up, and no tool is going to be able to detect this, this requires manual auditing.
If you are doing web application testing then Acunetix is the best testing tool you can use. Wapiti is a very good open source alternative. Although any tool can be used improperly. Before you do a web application test make sure error reporting is turned on, and also make sure you aren't suppressing sql errors, such as with a try/catch.
If you are doing Automated Static Code Analysis for vulnerabilities such as Buffer Overflows then Coverity is the best tool you can use(Fortify is nearly identical to Coverity). Coverity costs tens of thousands of dollars, but big names like the Department Of Homeland Security uses it. RATS is a open source alternative, although Coverity is far more complex of a tool. Both of these tools will produce a lot of false positives and false negatives. RATS looks for nasty function calls, but doesn't see if its still safe. So RATS will report every call to strcpy() strcat() sprintf(), but these can be safe if for instance you are just copying static text. This means you will have to dig though a lot of crap, but if you are doing a peer review then RATS helps a lot by narrowing the manual search. If you are trying to find a single exploitable vulnerability in a large code base, like Linux, then Rats isn't going to help much.
I have used Coverity and their sales team will claim it will "detect ****ALL**** vulnerabilities in your code base." But I can tell you from first hand experience that I found vanilla stack based buffer overflows with peach that Coverity didn't detect. (RATS did however pick up these issues, along with 1,000+ other function calls that where safe...) If you want a secure application or you want to find an exploitable buffer overflow then Peach is the platform tool you can use to build the tools you need.
If you are looking for more exotic memory corruption issues such as Dangling Pointers then Valgrind will help.
There's bunch of web application security scanners in the market
Take a look at this list:
WASC - Web application security scanner list and Netsparker Community Edition : which is the free version of Netsparker.
A tool doesn't know if your code is insecure.
Only you do (and the attackers).
At best the tool will spot a few vulnerabilities of one type in your code and make you realize you never protected against that type of vulnerability, but you will still have to go clean up all the instances the tool missed.

Is there a good service for checking website/server vulnerability [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I have been asked to provide information on available techniques for assessing our current, and any future websites for security problems. the request is in the form of
Do you know of any good free one that examines for security holes?
I think our data security is probably worth a small amount of upfront spend so any non-free methods would be appreciated too.
Our systems are a mish mash of mySQL, Oracle, SQLServer, PHP, ASP.NET etc etc systems though I guess that that does not matter too much. All the systems are secured in as much as they are patched and the firewalls are set sensibly so outside people cannot get directly to the database boxes etc.
It is XSS and similar attacks that we wish to prevent.
What do YOU use to give you confidence in your systems? ');DROP TABLE answer;
owasp would be a good place to start. There's too much to cover to include here.
If the security of your site is worth nothing to your company then that's what you should pay. For my company the security of our data and the brand image has quite a high value.
We pay a whole bunch of money for regular scans, we've trained the developers in basic hacking/security of applications, our code reviews include a security review and now we're looking at AppScan from IBM (which is expensive but in the long run probably cheaper than all the pen' testing we pay for).
You get what you pay for. Making sure you understand the owasp issues would be a good start though.
Personally, I choose not to be confident in the security of our systems. I am convinced there is always something that I am missing and thus I keep looking for it.
What you seem to be looking for is something to make others feel confident (even if that confidence is an illusion). Penetration testing is probably the right choice for that. Depending upon the tool, it shows potential vunerabilities in a nice report and then you can report how you mitigated them.
We use IBM AppScan and it is a good tool for this. As with any tester of this type you will find yourself following a lot of bad leads. Most of them are not false postives per se, more just things that might be an issue or appear to be and you will have to investigate and determine if they actually are.
I would not put a lot of faith in this kind of testing. If you app scans clean it really does not mean your app is clean. Does not mean it is worthless, but don't make it out to be more than it is.
The next thing I would look into is static analysis tools in your various languages. A lot of these are free. Hand in hand with that is developer education. That is usually a pretty cheap solution to the issue, just making sure they understand what the risks are.
There is no silver bullet, no simple answer, you need to define security as an EVERYONE problem and make sure it is given both priority and commitment.
Check out dotDefender - they've got versions for IIS/Apache/ISA. I use this app to protect against SQL Injection/XSS/DDOS/probing/encoding attacks. No piece of software will ever be perfect but in my case I run systems with sites being developed in .NET, PHP, and classic ASP with some of our sites being new and others being 5+ years old.
http://www.applicure.com/?page=dotDefender
I do also have a company do penetration testing / social engineering every year or so as well but with dotDefender I'm at least happy that I've got a baseline security blanket to protect my sites.
Of particular interest to me was that their app is fully x64 compatible - necessary since I'm using x64 web servers.

Are there any HTTP/HTTPS interception tools other than Fiddler, Charles, Poster, and Achilles? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm in the process of testing my application with respect to security.
Aside from Fiddler, Charles and Poster (Firefox plug in). Are there any other free to use https interception (and editing) applications out there? Especially ones which can be installed w/o admin privileges.
Achilles comes to mind, but I don't think it can handle https traffic.
Achilles does work on HTTPS traffic, but they note on their site that it is not the best tool any more.
Their suggestions are Burp Suite and WebScarab both of which I highly recommend.
OWASP ZAP - its free, open source and cross platform.
Its also the most active open source web security tool and came first and second in the last 2 'Top Security Tools' surveys run by Toolswatch.org (2013, 2014)
It was originally forked from Paros, which is no longer maintained, but it now has loads more functionality.
Its an OWASP Flagship project having replaced WebScarab, which is also essentially no longer maintained.
Simon (ZAP Project Lead)
Wireshark is amazing. It captures everything on the network so you'll need to filter down to http/https: http://wiki.wireshark.org/CaptureFilters.
There are a few programs that I would suggest.
Paros Proxy and Ratproxy have already been noted.
scapy is a powerful packet manipulation tool, and has all of the sniffing and monitoring capabilities as well.
dsniff is a suite of tools that allows manipulation, injection, and all sorts of interception and modification options.
There is also a plugin for IE called Tamper IE that has a simple GUI based packet editor.
All of these are free.
Doing more research I came across Paros Proxy. Seems to be a good alternative to the
others.
I'd strongly recommend HttpWatch. I believe the basic version is free and captures your HTTPS traffic to some extent. The Professional version is worth the money.
Have a look at ratproxy. It may not be exactly what you're asking for, but is very useful in testing the security of your web app.
Rather than intercepting HTTP and allowing you to edit or replay requests, it installs as a proxy and monitors the normal use of your web app, and then provides a report on possible security issues, along with their severity. It can also be configured to attempt active XSS or XSRF attacks where it thinks there is a vulnerability.
The site says "Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments" but I've only used it on Linux.
Check HTTP Debugger Pro
It is proxy-less solution and have zero impact to the transferring data.
Also it has modern user interface :)

Resources