World Wide Web Security

Modified 04 April 2007

Guidance — See the World Wide Web Consortium for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:

WWW Security FAQ: http://www.w3.org/Security/faq/
WWW Security Resources: http://www.w3.org/Security/
Index of WWW security links: http://www.alw.nih.gov/Security/security-www.html
NCSA CGI Programming Guide: http://hoohoo.ncsa.uiuc.edu/cgi/security.html
Perl Security http://reference.perl.com/query.sgi?security/

Security tools —

WebInspect — runs on Windows 98/NT/2000/XP, can audit Apache, IIS, etc., audits web applications running on web servers and tying into backend services and servers: http://www.spidynamics.com
whisker — test your server for CGI vulnerabilities: http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
grinder — scans an IP block looking for a particular URL (file name, CGI script, etc): http://www.packetstormsecurity.com/groups/rhino9/grinder11.zip
Fingerprint a web server with hmap, http://ujeni.murkyroc.com/hmap/
Look for web server security holes with nikto, http://www.cirt.net/code/nikto.shtml
Look for CGI holes with CGIchk, http://sourceforge.net/projects/cgichk/
Find precise patch levels of IIS targets with 404print, http://www.digitaldefense.net/labs/tools/404print.c
Enumerate ASP.NET subsystem components and configuration with dnascan.pl, http://examples.oreilly.com/networksa/tools/dnascan.pl.gz
Whisker looks for web server vulnerabilities: http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/whisker/

Secure Web Programming

PHP is a powerful server-side scripting language, but with the power and the execution on the server comes risk.
Also see the software security page.

Security Page

Home Page

Site Map

Public Key

E-Mail


© Bob Cromwell Oct 2008. Created with `/bin/vi` and ImageMagick, hosted on OpenBSD with Apache. Root password available here