|
|
|
Share your recommendations & reviews of website vulnerability scanners here! (Please note that these reviews by the StopBadware community do not constitute an endorsement by StopBadware.org.)
-- We have had to disable non-moderator editing access due to frequent spam attacks. To suggest a resource for this page, please contact Erica (the group manager) or make your suggestion in a post to the discussion list. --
Devfense (suggested by jnarvey) http://www.boonbox.net/devfense.htm Devfense boxed service from Boonbox is a website vulnerability scanner plus IT expertise that locates the vulnerabilities (eg. cross-site scripting/SQL injection vulnerabilities), provides a report on the discovered problems, recommendations for fixes and support to fix the problems. It also helps organizations ensure compliance with dozens of security compliance regulations, such as PIPEDA, PIPA, HIPAA, PCI DSS, etc.
Boonbox also has some excellent links to white papers and other resources on web security at http://www.boonbox.net/resources_devfense.htm
Jart suggested sites and tools http://sectools.org/ - Top 100 security tools http://sectools.org/web-scanners.html - Top 10 Web vulnerability scanners http://en.wikipedia.org/wiki/Fyodor - info on author of sectools.
Flash / SWF tools: http://www.adopstools.net/ - "This tool is provided for you to scan your flash creative and gives you a complete and exhaustive report about its content such as version, dimensions, weight, list of getURL and actionscripts, detect security hole and malware presence." (via Sandi of Spyware Sucks blog)
Joomla! Administrators, advice & tools (including for those not using Joomla!)
Joomla! Administrator's Security Checklist: http://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/
Help! My site's been compromised. Now what? : http://help.joomla.org/component/option,com_easyfaq/task,view/id,100/Itemid,268/
How to find exploits using the *NIX shell: http://forum.joomla.org/index.php/topic,99342.0.html
Finding XSS and SQLI Website Vunerabilities Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications. Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
Download from; http://pixybox.seclab.tuwien.ac.at/pixy/download.php - (free open source)
Note: all you need to get started is a Java 1.6 runtime environment. Pixy has been primarily developed for Linux, but this should not really matter since Java is platform-independent. If you are working with Windows, you have two options:
Additional Web Server and Web Application (xss and sql injection) tools The following tools are all open source and can be quite technical. However as with most open source projects a bit of googling will find a wealth of information.
Rebecca's Webmaster tools - Using a standard PC with Windows and FireFox + FireFox Add Ons + Free PC Tools
1. Server access - I know it sounds obvious but to start with as the site webmaster I realized I did not have full access or know what tools were available. So check this first, if you use CPanel or similar many of the tools to clean up and check are there e.g. http://www.cpanel.net/docs/cpanel/ 2. Firefox and add ons - As the webmaster you have to be able to look at the site and check what is called. What we mean by this is the "scripts", for example you may use a simple Ad or banner, what is actually called by your web site, e.g. the "inline scripts", "cookies" etc. Just a note for end users if you surf with Firefox and these add a. Firefox - ensure latest version (set for no-popups and cookies to manually accept) b. Google toolbar (add on) - this helps to search the web for any terms or third party web addresses, but for me if you search "define:sql injection" you can get any description to help you or use "site:anywebsite.com" "inurl:anywebsite.com" "cache:anywebsite.com" you see a lot more about any web site, including your own. c. McAfee Site Advisor (add on)- Just to check out any web address you come across, especially on any spam or script.
d. No-Script (add on) - this is great because when used you can look at a web sites but any script on the web site is disabled.
e. PhProxy (add on) - Using this you can go to any website without using your real IP address, however this is for the first safe look, you have to switch this off when you look at "inline scripts"
f. Edit Cookies (add on) - Now you can see any cookies, before you accept them
g. DOM Inspector (add on) - Lets you inspect a web window and its contents.
h. Safe cache (add on) - Prevents any cache based privacy attacks.
i. Key scrambler (add on) - This encrypts any passwords you type on your PC for websites; just in case there are keyloggers in action.
j. Web developer (add on) - This lets you check the actual scripts called, in other words not what you think is on your website, but what the user actually gets.
3. Notepad ++ - This is an Open Source text editor, using this you can capture or download text, HTML, scripts, server log files, SQL, and save for later examination.
4. SmartFTP - There are several around this is the one we used, simply because you can use it in a secure mode and set / reset file permissions, so you help being attacked again.
5. Windiff - A free utility so you can compare directories that you FTP as a backup from your website to your PC and even individual files.
6. On the server (assumes PHP & MySQL);
a. Server Log files - just use your secure FTP to download and check in your text editor
b. PHPmyAdmin - now this is daunting at first but a bit of reading http://www.phpmyadmin.net/home_page/docs.php soon help to master this, in our case this was vital to down load and backup the website databases. This is where we found most of the problems that could have re-infected / re-hijacked us.
c. PhpBB - forum tools http://www.phpbb.com/community/ lots of help here.
7. Common sense - Maybe the most important webmaster tool, what should be within the website; its scripts, files, on the forums, within the SQL databases, etc. If you see a call to some website you do not recognize check it out. If some script is calling to download a special multi-media application, is it the real one? If some website / bot is coming to your site (on the server log files) every 10 seconds, why is it coming? What is its purpose or even more important what is calling it? Simple really.
Server side script that might prevent SQL injection A couple of ASP script have been posted by morebeer and FatherStorm. http://groups.google.com/group/stopbadware/browse_thread/thread/928023063d051842
Unmask Parasites http://UnmaskParasites.com - free online service that checks web pages for hidden illicit content (invisible spam links, iframes, suspisious scripts and redirects). Not a definitive test, but may reveal some nasty code that can be easily missed when you look through raw HTML.
|
| ||||||||||||||||||||||||||||||||||
| Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2009 Google |
|
