- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Automated Website Security Test
You have a webpage, but you want to be sure it is secure. That is where website security testing comes into play. In this article, I will show you how to perform a fully automated website security test, what to look for in the testing, how to read results of the test, and the risks of running a security test on your site.
Performing an automated website security test
Running a website security test is very simple. This site offers a very comprehensive scan - see our website security scan options. There are also many excellent open source tools available. Some of my favorites are w3af and skipfish.
If you use the Golem tool, getting your test started is as simple as entering your URL. The scanner will do the rest, automatically configuring itself to test the target site appropriately and scanning in depth. If you choose to use an open source tool, a bit more setup is required. In most cases, you will need to download and compile the scanner, and read about the correct options to scan your site with. It can be tricky to get the settings right for a particular site without understanding what types of information you are looking for and how the tool tests it, but it is worth learning if you plan on testing many sites.
What to look for in website security testing
There are several major areas you want to test against with an automated scan. The tools I listed above all include these tests with the proper configuration.
- SQL Injection
- Cross Site Scripting
- Informative errors or code being given to the user
- improper SSL use, if applicable
These are generally the most common and serious vulnerabilities which can lead to a host of other issues on a website. Make sure you test for these at a minimum.
How to read website security test results
To those not versed in website security, it can be difficult to understand the output of a website scan. Often, many items are flagged, sometimes in the hundreds. Don't let the count scare you - often a single website security flaw can show up on multiple pages on a site, inflating the actual number of vulnerabilities found.
Focus on the high risk areas first. The report should include a link to the page where the issue was found, so head over to the page in question and keep a copy of the report handy. Reports should generally also give you a clue as to how they determined the issue. They may include some input they used (the input may look strange, because it is an attack attempt) or the URL may be modified in certain ways. Try to replicate what the scanner did manually, and determine how you could correct the website to fix the issue. Sometimes, replicating what the scanner did doesn't appear to do anything at all - but the scanner usually had good reason for finding the issue, so check the generated source code and server logs for more information.
Risks of automated website security testing
There are always risks when running an automated tool against your site. In this case, security tools tend to attack web forms relentlessly. This means that any form a user can submit, will probably be submitted in hundreds of ways by the security scanner. Some of these may result in your site taking actions, like creating a new user or sending a support request or email. For this reason, it is often good to use a development version, or at least be aware that forms will be submitted.
Also, because the scanners often run very quickly, they may add additional load to your web server, potentially slowing down the site for everyone else. If you see this, consider trying to improve the page load time or taking measures to protect against denial of service attacks, which may use similar methods as a security scanner to bring down sites. This is also part of security testing, though not technically part of the automated tests most scanners perform.
