Rack of Ethernet switches.

World Wide Web Security

Web Security


See my page about SSL/TLS security for details on that crucial protocol.

Web Browser Security Properties

See Google's Browser Security Handbook for a good detailed discussion of key security properties of contemporary web browsers. These characteristics are often poorly documented, and several classes of security vulnerabilities are caused by insufficient understanding of them.

Web Programming and Site Design Guidance

The Open Web Application Security Project has a useful set of OWASP Cheat Sheets with good guidance on web programming and site design.

See the World Wide Web Consortium and others for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:

Don't Run the Web Server as root

Duh. But people still need to be told this. Especially the creators of Microsoft's IIS, which was designed to run with SYSTEM privileges. At least they finally fixed that at IIS version 6.0.

Add Security-Focused Server HTTP Headers

As this page explains, the following server settings improve security.

Security Tools

Nikto finds web server security holes.

whisker can test your server for CGI vulnerabilities, it is available from rain forest puppy. and also from Purdue's CERIAS group.

Burp Suite is a collection of tools for web site penetration testing.

Dirbuster enumerates web directories and files.

Zed Attack Proxy is a fuzzing penetration testing tool for web servers.

SqlMap detects and exploits SQL Injection vulnerabilities.

Browser Exploitation Framework or BeEF exploits the browser with cross-site scripting flaws.

Vega is an open-source GUI based web application security scanner that runs on Linux, Mac OS X, and Windows. "The automated scanner crawls a web application, analyzing pages, looking for interesting content and injection points. Vega runs modules on the web application that test for vulnerabilities or analyze content. These modules are written in Javascript and are entirely customizable. Vega modules can generate alerts to make users aware of the findings. Vega also includes an intercepting proxy. The proxy is situated between a browser and the target application, intercepting all requests and responses between them. Users can view the interaction of the client with the website, intercepting and modifying requests and responses to probe and verify possible vulnerabilities. The proxy is also capable of intercepting HTTPS communications with dynamically generated man-in-the-middle certificates." Its beta release description is here and its download page is here.

Golem is a scanning service which looks for a wide variety of web server vulnerabilities: SQL injection, server-side command or shell injection, XML and XPATH injection, string format vulnerabilities, integer overflow vulnerabilities, unauthorized HTTP PUT, XSS, and more. A free scan will go through about 10% of a site as a demo, the paid service scans the entire site on a continuing schedule.

Sectools.org has a nice list of web vulnerability scanners

grinder can scan an IP block looking for a particular URL (file name, CGI script, etc).

hmap can fingerprint a web server.

cgichk looks for CGI holes.

404print finds precise patch levels of IIS targets.

dnascan.pl enumerates ASP.NET subsystem components and configuration.

ZeroDayScan can scan your website for security holes, looking for Cross Site Scripting (XSS) attacks, SQL Injection vulnerabilities, hidden directories and backup files, and known security vulnerabilities. It fingerprints a website and generates free reports.