After HP & Microsoft’s security tool, Google’s gotten onto distribuing a Security Audit tool. Here’s Ratproxy which is a passive web security audit tool based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Some of the key features ( from Ratproxy’s documentation) :
Scrawlr is short for SQL Injector and Crawler, a tool developed by the HP Web Security Research Group in coordination with the Microsoft Security Response Center in response to the widespread SQL injection attacks on the web.
“Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!”
Key Features of Scrawlr include:
Identify Verbose SQL Injection vulnerabilities in URL parameters
Can be configured to use a Proxy to access the web site
Will identify the type of SQL server in use
Will extract table names (verbose only) to guarantee no false positives
Scrawlr which is a free tool has a few limitations which are it’s crawl only upto 1500 pages, doesn’t support Blind SQL injection and will not test for Post parameters for SQL injection. Overall even with these limitations, it’s still a useful tool to check your sites to see if you’re safe from SQL injections.
Google Doctype is an open encyclopedia and reference library. Written by web developers, for web developers. It includes articles on web security, JavaScript DOM manipulation, CSS tips and tricks, and more. The reference section includes a growing library of test cases for checking cross-browser and cross-platform compatibility.
This site’s currently got some good HOWTOs on Web security, DOM manipulation, CSS and styles and more. A worthwhile place to check if you’re looking at some quick reference and help.
Inspekt is a PHP library that makes it easier to write secure web applications, which works on PHP 4 and 5 and has no external dependencies.
Inspekt acts as a sort of ‘firewall’ API between user input and the rest of the application. It takes PHP superglobal arrays, encapsulates their data in an “cage” object, and destroys the original superglobal. Data can then be retrieved from the input data object using a variety of accessor methods that apply filtering, or the data can be checked against validation methods. Raw data can only be accessed via a ‘getRaw()’ method, forcing the developer to show clear intent.
Inspekt can also be used on arbitrary arrays, and provides static filtering and validation methods.
If you want to detect and act on XSS probes and attacks on your PHP web application without too much of coding, here’s a project which delivers. It’s called PHPIDS. It’s an IDS for your PHP application which scans your inputs (without sanitizing it) and checks for XSS attacks based on a rule set. You can get an impact analysis of the attack and act on them accordingly based on the severity.
PHPIDS adds a layer of security over your application without having to retrofit code all over the place. It’s also a useful tool to create reports on attacks without having to parse through all the server access log files.
The scanning rules can be updated by replacing an xml file, pretty much like a virus definition update
Check their FAQ’s on how to integrate this with your application - it’s pretty simple. They’ve got a demo page where you can go test out the efficiency of the system.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.
If you’re working on PHP 4.x, here’s a tool which checks if your codebase is succeptible to Cross site scripting or SQL injection.
Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
Stefan shows how shared hosting environments could lead to security threat to your site, allowing another site on the same host to hijack cookies from your site.
Within a shared hosting environment it is sometimes quite often possible to bind yourself to some high TCP port and accept incoming connections. Sometimes this is possible because you also get a shell account on the box and sometimes because dangerous PHP functions like stream_socket_server() are not disabled in the configuration. Unfortunately the ability to bind yourself to a port and receive connections is a threat to webapplications installed on different virtual hosts on the same IP, even if other security measures in place, like tight filesystem permissions or executing PHP script with the permission of the owner.
Here’s a cool way to scan a site visitor’s network using just HTML and the user’s browser.
The concept of doing network scanning via JavaScript is hardly new and is quite easy for anyone with even cursory knowledge of JavaScript. However, the assumption was that as long as you browse the web with JavaScript disabled you are safe from hostile sites from scanning your network. Alas, this was not to be, in a very interesting post Jeremiah Grossman shows how can this be done with plain HTML using no JavaScript what so ever.
If you would like to prevent Apache from exposing the version information in every request to the server, all you have to do is to put in the following lines into your apache configuration file:
ServerTokens ProductOnly
ServerSignature OffNow that we’re not exposing the Apache version, let’s hide the PHP version also. To do this, head over to your php.ini file and set expose_php to off. This setting is on by default and when ever a php file is accessed, an X-Powered-By header is sent back through Apache.
expose_php = Off
Bookmark and share:These icons link to social bookmarking sites where readers can share and discover new web pages.
