Checking web site security - the quick approach

One of the most frequent questions delivered to a security officer is: Is this web site secure?
While a proper answer can be obtained only through a full blown penetration test, there a quick approach which will yield a very good "feel" of the site security.

The approach
In order to obtain relevant results by this quick approach, you need to assess the web site from the following aspects:

  1. Overall server weaknesses
  2. Web server weaknesses
  3. Web site/application weaknesses
The tools
To achieve the quick solution, one must use the proper tools of the trade. Luckily, the tools of the quick approach are free and very efficient:
  1. Nessus - For server weaknesses assessment
  2. Paros - For web server weaknesses assessment
  3. Ratproxy - For web site/application weaknesses assessment
The process
If the target is not owned by your company, be sure to obtain consent from the owners for the scanning. Use the tools in the sequence in which they are presented
  1. Nessus - For server weaknesses assessment - Choose default scan and if possible, choose distruptive scans and let it rip. It generates a HTML report as it scans the target.
  2. Paros - For web server weaknesses assessment - Paros functions as a proxy. Once you run it, reconfigure your browser to use a proxy and select localhost at port 8080 as the proxy. This will send all requests through Paros and let it capture the site. Make sure you just visit the target site. After this, choose Analyze-> Spider, and Analyze -> Scan. After the scan is finished, choose Report -> Last Scan Report to get the HTML report.
  3. Ratproxy - For web site/application weaknesses assessment - Functions much like Paros. Once you run it, reconfigure your browser to use a proxy and select localhost at port 8080 as the proxy. This will send all requests through Ratproxy. Make sure you surf every possible link and use every possible function of the site. Once you are finished, parse the report output through the parser to get the HTML report.
Each of these tools will provide very clear reports. Look for weaknesses that are marked medium and above. Then investigate the reports and recommendations on each to evaluate the actual risk to your company.

When you complete this process, if the web server hosts other sites, use Ratproxy on as many of them as you can, to asses the possible risk to your site via attacks delivered through other sites.

Talkback and comments are most welcome

Related posts
Protecting from Meddling Web Applications
Strategic Choice - Proper Selection of Web Hosting
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Rules for good Corporate Web Presence

4 comments:

Wonderland said...

Vow, I like this post, especially the tools u mentioned in checking web security. Good work. Thanks

Katie Stevens said...
This comment has been removed by the author.
Katie Stevens said...

Hi,

My name is Katie Stevens and I`m an online marketing consultant. I've just visited your website and I was wondering if you'd be interested in exchanging links with my website. I can offer you a home page link back from my SEO and WEB DESIGN website which would be
(http://www.saftapp.com/) with page rank 3.

Your link will be placed here:


http://www.saftapp.com/ (Page rank 3) It's a Seo & Web design website

As mentioned, your link would be placed on the site home page, not on any "links" pages which may be buried in the site somewhere.

If you are interested please add the following information to your website and kindly let me know when it´s ready and I will do the same for you in less than 24 hours, otherwise you can delete my link from your site.

TITLE: Complete ICT
URL: http://www.managednetworks.co.uk/
DESCRIPTION: pro-active stress free IT support.

Or you can use the following html code:

Complete ICT -pro-active stress free IT support.


I hope you have a nice day and thank you for your time,

Katie Stevens
katie.stevens@saftapp.com

Festival Blog said...

Happy Dussehra
Happy Dussehra Wishes
Happy Dhanteras Images
Karwa Chauth Images
happy diwali wishes

Designed by Posicionamiento Web