World Wide Web Security

SSL and TLS

See my page about SSL/TLS security for details on that crucial protocol.

Guidance

See Google's Browser Security Handbook for a good detailed discussion of key security properties of contemporary web browsers. These characteristics are often poorly documented, and several classes of security vulnerabilities are caused by insufficient understanding of them.

The Open Web Application Security Project has a useful set of OWASP Cheat Sheets with good guidance on web programming and site design.

See the World Wide Web Consortium and others for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:

• W3.org Security FAQ
• W3.org Security Resources
• OWASP: The Open Web Application Security Project
• CGI Programming 101
• O'Reilly's "Beginner's Introduction to Perl"

Security tools

• Nikto finds web server security holes.
• whisker can test your server for CGI vulnerabilities, it is available from rain forest puppy. and also from Purdue's CERIAS group.
• Vega is an open-source GUI based web application security scanner that runs on Linux, Mac OS X, and Windows. "The automated scanner crawls a web application, analyzing pages, looking for interesting content and injection points. Vega runs modules on the web application that test for vulnerabilities or analyze content. These modules are written in Javascript and are entirely customizable. Vega modules can generate alerts to make users aware of the findings. Vega also includes an intercepting proxy. The proxy is situated between a browser and the target application, intercepting all requests and responses between them. Users can view the interaction of the client with the website, intercepting and modifying requests and responses to probe and verify possible vulnerabilities. The proxy is also capable of intercepting HTTPS communications with dynamically generated man-in-the-middle certificates." Its beta release description is here and its download page is here.
• Golem is a scanning service which looks for a wide variety of web server vulnerabilities: SQL injection, server-side command or shell injection, XML and XPATH injection, string format vulnerabilities, integer overflow vulnerabilities, unauthorized HTTP PUT, XSS, and more. A free scan will go through about 10% of a site as a demo, the paid service scans the entire site on a continuing schedule.
• Sectools.org has a nice list of web vulnerability scanners
• HP has some web application security tools.
• grinder can scan an IP block looking for a particular URL (file name, CGI script, etc).
• hmap can fingerprint a web server.
• cgichk looks for CGI holes.
• 404print finds precise patch levels of IIS targets.
• dnascan.pl enumerates ASP.NET subsystem components and configuration.
• ZeroDayScan can scan your website for security holes, looking for Cross Site Scripting (XSS) attacks, SQL Injection vulnerabilities, hidden directories and backup files, and known security vulnerabilities. It fingerprints a website and generates free reports.

Secure Web Programming

• PHP is a powerful server-side scripting language, but with the power and the execution on the server comes risk.
  • The PHP Security Consortium has a PHP Security Guide
  • Thomas Oertli's "Secure Programming in PHP"
  • Linux Format magazine's "PHP — Secure Coding"
  • PHP Security Scanner
• Also see the software security page for suggestions on PHP programming security.

Back to the main Security Page

Home Unix/Linux Networking Cybersecurity Travel Technical Radio Site Map Contact

Tweet