SSL and TLS
See my page about SSL/TLS security for details on that crucial protocol.
Web Browser Security Properties
See Google's Browser Security Handbook for a good detailed discussion of key security properties of contemporary web browsers. These characteristics are often poorly documented, and several classes of security vulnerabilities are caused by insufficient understanding of them.
Web Programming and Site Design Guidance
The Open Web Application Security Project has a useful set of OWASP Cheat Sheets with good guidance on web programming and site design.
See the World Wide Web Consortium and others for building secure servers and clients, protecting documents at your site, safe CGI and Perl, server logs, and specifics on servers for Unix, Microsoft NT, Macintosh, and Novell:
- W3.org Security FAQ
- W3.org Security Resources
- OWASP: The Open Web Application Security Project
- CGI Programming 101
- O'Reilly's "Beginner's Introduction to Perl"
Don't Run the Web Server as
Duh. But people still need to be told this. Especially the creators of Microsoft's IIS, which was designed to run with SYSTEM privileges. At least they finally fixed that at IIS version 6.0.
Add Security-Focused Server HTTP Headers
As this page explains, the following server settings improve security.
X-Content-Security-Policyset side-wide or page by page. See the W3 Content Security Policy definition for all the details.
Strict-Transport-Securityset to a reasonable timeout.
Access-Control-Allow-Originset to control which sides are allow to bypass the same-original policies and send cross-origin requests.
ZAP or Zed Attack Proxy is a fuzzing penetration testing tool for web servers. "The world's most widely used web app scanner"
Nikto finds web server security holes.
whisker can test your server for CGI vulnerabilities,
urlscan.io provides a lot of insight into web pages. It inventories the technologies used, and provides profiles of network traffic used during page loads.
URLVoid analyzes a web site through multiple blacklist engines and reputation tools. It helps you identity and analyze untrustworthy websites.
Burp Suite is a collection of tools for web site penetration testing.
Dirbuster enumerates web directories and files.
SqlMap detects and exploits SQL Injection vulnerabilities.
Browser Exploitation Framework or BeEF exploits the browser with cross-site scripting flaws.
Golem is a scanning service which looks for a wide variety of web server vulnerabilities: SQL injection, server-side command or shell injection, XML and XPATH injection, string format vulnerabilities, integer overflow vulnerabilities, unauthorized HTTP PUT, XSS, and more. A free scan will go through about 10% of a site as a demo, the paid service scans the entire site on a continuing schedule.
Sectools.org has a nice list of web vulnerability scanners
grinder can scan an IP block looking for a particular URL (file name, CGI script, etc).
hmap can fingerprint a web server.
cgichk looks for CGI holes.
404print finds precise patch levels of IIS targets.
dnascan.pl enumerates ASP.NET subsystem components and configuration.
ZeroDayScan can scan your website for security holes, looking for Cross Site Scripting (XSS) attacks, SQL Injection vulnerabilities, hidden directories and backup files, and known security vulnerabilities. It fingerprints a website and generates free reports.