World Wide Web Security
Modified 04 April 2007
Guidance —
See the World Wide Web Consortium for building
secure servers and clients, protecting documents at your site,
safe CGI and Perl, server logs, and specifics on servers
for Unix, Microsoft NT, Macintosh, and Novell:
Security tools —
-
WebInspect —
runs on Windows 98/NT/2000/XP,
can audit Apache, IIS, etc.,
audits web applications running on web servers
and tying into backend services and servers:
http://www.spidynamics.com
-
whisker —
test your server for CGI vulnerabilities:
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
-
grinder —
scans an IP block looking for a particular URL
(file name, CGI script, etc):
http://www.packetstormsecurity.com/groups/rhino9/grinder11.zip
-
Fingerprint a web server with hmap,
http://ujeni.murkyroc.com/hmap/
-
Look for web server security holes with nikto,
http://www.cirt.net/code/nikto.shtml
-
Look for CGI holes with CGIchk,
http://sourceforge.net/projects/cgichk/
-
Find precise patch levels of IIS targets with
404print,
http://www.digitaldefense.net/labs/tools/404print.c
-
Enumerate ASP.NET subsystem components
and configuration with dnascan.pl,
http://examples.oreilly.com/networksa/tools/dnascan.pl.gz
-
Whisker looks for web server vulnerabilities:
http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/whisker/
Secure Web Programming
Security Page