Web Security Tools

Web Security

SSL and TLS

See my page about SSL/TLS security for details on that crucial protocol.

Web Browser Security Properties

See Google's Browser Security Handbook for a good detailed discussion of key security properties of contemporary web browsers. These characteristics are often poorly documented, and several classes of security vulnerabilities are caused by insufficient understanding of them.

Web Programming and Site Design Guidance

The Open Web Application Security Project has a useful set of OWASP Cheat Sheets with good guidance on web programming and site design.

See the World Wide Web Consortium and others for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:

• W3.org Security FAQ
• W3.org Security Resources
• OWASP: The Open Web Application Security Project
• CGI Programming 101
• O'Reilly's "Beginner's Introduction to Perl"

Don't Run the Web Server as root

Duh. But people still need to be told this. Especially the creators of Microsoft's IIS, which was designed to run with SYSTEM privileges. At least they finally fixed that at IIS version 6.0.

Add Security-Focused Server HTTP Headers

As this page explains, the following server settings improve security.

• X-Content-Type-Options set to nosniff
• X-XSS-Protection set to 1;mode=block
• X-Frame-Options set to DENY or SAMEORIGIN
• Cache-Control set to no-store, no-cache
• X-Content-Security-Policy set side-wide or page by page. See the W3 Content Security Policy definition for all the details.
• Strict-Transport-Security set to a reasonable timeout.
• Access-Control-Allow-Origin set to control which sides are allow to bypass the same-original policies and send cross-origin requests.

Security Tools

ZAP or Zed Attack Proxy is a fuzzing penetration testing tool for web servers. "The world's most widely used web app scanner"

Nikto finds web server security holes.

whisker can test your server for CGI vulnerabilities,

urlscan.io provides a lot of insight into web pages. It inventories the technologies used, and provides profiles of network traffic used during page loads.

URLVoid analyzes a web site through multiple blacklist engines and reputation tools. It helps you identity and analyze untrustworthy websites.

Burp Suite is a collection of tools for web site penetration testing.

Dirbuster enumerates web directories and files.

SqlMap detects and exploits SQL Injection vulnerabilities.

Browser Exploitation Framework or BeEF exploits the browser with cross-site scripting flaws.

Vega is an open-source GUI based web application security scanner that runs on Linux, macOS, and Windows. "The automated scanner crawls a web application, analyzing pages, looking for interesting content and injection points. Vega runs modules on the web application that test for vulnerabilities or analyze content. These modules are written in Javascript and are entirely customizable. Vega modules can generate alerts to make users aware of the findings. Vega also includes an intercepting proxy. The proxy is situated between a browser and the target application, intercepting all requests and responses between them. Users can view the interaction of the client with the website, intercepting and modifying requests and responses to probe and verify possible vulnerabilities. The proxy is also capable of intercepting HTTPS communications with dynamically generated man-in-the-middle certificates." Its beta release description is here and its download page is here.

Golem is a scanning service which looks for a wide variety of web server vulnerabilities: SQL injection, server-side command or shell injection, XML and XPATH injection, string format vulnerabilities, integer overflow vulnerabilities, unauthorized HTTP PUT, XSS, and more. A free scan will go through about 10% of a site as a demo, the paid service scans the entire site on a continuing schedule.

Sectools.org has a nice list of web vulnerability scanners

grinder can scan an IP block looking for a particular URL (file name, CGI script, etc).

hmap can fingerprint a web server.

cgichk looks for CGI holes.

404print finds precise patch levels of IIS targets.

dnascan.pl enumerates ASP.NET subsystem components and configuration.

ZeroDayScan can scan your website for security holes, looking for Cross Site Scripting (XSS) attacks, SQL Injection vulnerabilities, hidden directories and backup files, and known security vulnerabilities. It fingerprints a website and generates free reports.