Web Security
From ChekMate Security Group
- Achilles is a tool designed for testing the security of web applications
- WebInspect -- runs on Windows 98/NT/2000/XP, can audit Apache, IIS, etc., audits web applications running on web servers and tying into backend services and servers: http://www.spidynamics.com
- whisker -- test your server for CGI vulnerabilities: http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
- Whisker looks for web server vulnerabilities: http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/whisker/
- grinder -- scans an IP block looking for a particular URL (file name, CGI script, etc): http://www.packetstormsecurity.com/groups/rhino9/grinder11.zip
- Fingerprint a web server with hmap, http://ujeni.murkyroc.com/hmap/
- Look for web server security holes with nikto, http://www.cirt.net/code/nikto.shtml
- Look for CGI holes with CGIchk, http://sourceforge.net/projects/cgichk/
- Find precise patch levels of IIS targets with 404print, http://www.digitaldefense.net/labs/tools/404print.c
- Enumerate ASP.NET subsystem components and configuration with dnascan.pl, http://examples.oreilly.com/networksa/tools/dnascan.pl.gz
[edit]
Resources
- Web Based Session Management Best Practices in Managing HTTP Based Client Sessions by Gunter Ollmann
- HTML Code Injection and Cross-site scripting Understanding the cause and effect of CSS (XSS) Vulnerabilities by Gunter Ollmann
- Custom HTML Authentication Best Practices on Securing Custom HTML Authentication Procedures By Gunter Ollmann
- URL Encoded Attacks Attacks using the common web browser by Gunter Ollmann
- Second-order Code Injection Advanced Code Injection Techniques and Testing Procedures by Gunter Ollmann
- Security Best Practice - Host Naming and URL Conventions Security Considerations for Web-based Applications by Gunter Ollmann
- Anti Brute Force Resource Metering Helping to Restrict Web-based Application Brute Force Guessing Attacks through Resource Metering by Gunter Ollmann
- Stopping Automated Attack Tools An analysis of web-based application techniques capable of defending against current and future automated attack tools by Gunter Ollmann
- WWW Security FAQ: http://www.w3.org/Security/faq/
- WWW Security Resources: http://www.w3.org/Security/
- Index of WWW security links: http://www.alw.nih.gov/Security/security-www.html
- NCSA CGI Programming Guide: http://hoohoo.ncsa.uiuc.edu/cgi/security.html
- Perl Security http://reference.perl.com/query.sgi?security/
