World Wide Web Security

Modified 16 December 2009

Guidance —

See the World Wide Web Consortium for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:

• WWW Security FAQ: http://www.w3.org/Security/faq/
• WWW Security Resources: http://www.w3.org/Security/
• NCSA CGI Programming Guide: http://hoohoo.ncsa.uiuc.edu/cgi/security.html
• Perl Security http://www.perl.com/query.sgi?security/

Security tools —

• HP has some web application security tools.
• whisker can test your server for CGI vulnerabilities, it is available from rain forest puppy. and also from Purdue's CERIAS group.
• grinder can scan an IP block looking for a particular URL (file name, CGI script, etc).
• hmap can fingerprint a web server.
• Nikto finds web server security holes.
• cgichk looks for CGI holes.
• 404print finds precise patch levels of IIS targets.
• dnascan.pl enumerates ASP.NET subsystem components and configuration.
• ZeroDayScan can scan your website for security holes, looking for Cross Site Scripting (XSS) attacks, SQL Injection vulnerabilities, hidden directories and backup files, and known security vulnerabilities. It fingerprints a website and generates free reports.

Secure Web Programming

• PHP is a powerful server-side scripting language, but with the power and the execution on the server comes risk.
  • The PHP Security Consortium has a PHP Security Guide: http://phpsec.org/projects/guide/
  • Thomas Oertli's "Secure Programming in PHP": http://www.cgisecurity.com/lib/php-secure-coding.html
  • Linux Format magazine's "PHP — Secure Coding": http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding
  • PHP Security Scanner: http://securityscanner.lostfiles.de/
• Also see the software security page for suggestions on PHP programming security.

Back to the main Security Page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact