World Wide Web Security
Modified 16 December 2009
Guidance —
See the World Wide Web Consortium for building
secure servers and clients, protecting documents at your site,
safe CGI and Perl, server logs, and specifics on servers
for Unix, Microsoft NT, Macintosh, and Novell:
Security tools —
-
HP has some web application
security tools.
-
whisker
can test your server for CGI vulnerabilities,
it is available from
rain forest puppy.
and also from
Purdue's CERIAS group.
-
grinder
can scan an IP block looking for a particular URL
(file name, CGI script, etc).
-
hmap
can fingerprint a web server.
-
Nikto
finds web server security holes.
-
cgichk
looks for CGI holes.
-
404print
finds precise patch levels of IIS targets.
-
dnascan.pl
enumerates ASP.NET subsystem components
and configuration.
-
ZeroDayScan
can scan your website for security holes, looking for
Cross Site Scripting (XSS) attacks,
SQL Injection vulnerabilities,
hidden directories and backup files,
and known security vulnerabilities.
It fingerprints a website and generates free reports.
Secure Web Programming
-
PHP is a powerful server-side scripting
language, but with the power and the execution
on the server comes risk.
-
Also see the software security page
for suggestions on PHP programming security.