-
Griffith Becker 發表更新 7 年, 9 月前
To secure a website or a web application, one has to first understand the target application, how it works and the scope behind it. Ideally, the penetration tester should have some basic knowledge of programming and scripting languages, and also web security.
A website security audit usually consists of two steps. Most of the time, the first step usually is to launch an automated scan. Afterwards, depending on the results and the website’s complexity, a manual penetration test follows. To properly complete
Website Security Audit automated and manual audits, a number of tools are available, to simplify the process and make it efficient from the business point of view. Automated tools help the user making sure the whole website is properly crawled, and that no input or parameter is left unchecked. Automated web vulnerability scanners also help in finding a high percentage of the technical vulnerabilities, and give you a very good overview of the website’s structure, and security status. Thanks to automated scanners, you can have a better overview and understanding of the target website, which eases the manual penetration process.
For the manual security audit, one should also have a number of tools to ease the process, such as tools to launch fuzzing tests, tools to edit HTTP requests and review HTTP responses, proxy to analyse the traffic and so on.
In this white paper we explain in detail how to do a complete website security audit and focus on using the right approach and tools. We describe the whole process of securing a website in an easy to read step by step format; what needs to be done prior to launching an automated website vulnerability scan up till the manual penetration testing phase.
Manual Assessment of target website or web application
Securing a website or a web application with an automated web vulnerability scanner can be a straight forward and productive process, if all the necessary pre-scan tasks and procedures are taken care of. Depending on the size and complexity of the web application structure, launching an automated web security scan with typical ‘out of the box’ settings, may lead to a number of false positives, waste of time and frustration.
Even though in recent year’s web vulnerability scanning technology has improved, a good web vulnerability scanner sometimes needs to be pre-configured. Web vulnerability scanners are designed to scan a wide variety of complex custom made web applications. Therefore most of the times, one would need to fine tune the scanner to his or her needs to achieve the desired correct scan results.
Before launching
Website Security Audit of automated security scanning process, a manual assessment of the target website needs to be performed. It is a well known fact that an automated scanner will scan every entry point in your website which most likely you tend to forget, and test it for a wide variety of vulnerabilities.During the manual assessment, familiarize yourself with the website topology and architecture. Keep record of the number of pages and files present in the website, and take record of the directory and file structure. If you have access to the website’s root directory and source code, take your time to get to know it. If not, you can manually hover the links throughout the website. This process will help you understand the structure of the URL’s. Also, take a note of all the submission and other type of online forms available on the website.
During the pre-automated scan manual assessment, apart from getting used to directory structures and number of files, get to know what web technology is used to develop the target website, e.g. .NET or PHP. There are a number of vulnerabilities which are specific for different types of technologies.
Security Audit Of Website should lookout for when manually assessing a website are;Does the website require client certificates to be accessed?
Is the target website using a backend database? If yes, what type of database is it?
Is the database server running on the same server as the website?
Are all the sensitive records being encrypted?
Are there any URL parameters or URL rewrite rules being used for site navigation?
When
Website Security Audit Company existing URL is requested, does the web server return a HTTP Status Code 404, or does it return a custom error page and responds with a HTTP Status Code 200?Are there any particular input forms or one time entry forms (such as CAPTCHA and Single Sign on forms) that need user input during an automated scan?
Are there any password protected sections in the website?
Once the manual assessment process is ready, you should know enough about the target website to help you determine if the website was properly crawled from the automated black box scanner before a scan is launched. If the website is not crawled properly, i.e. the scanner is unable to crawl some parts or parameters from the website; the whole “securing the website” point is invalidated. The manual assessment will help you go a long way towards heading off invalid scans and false positives. It will also help you get more familiar with the website itself, and that’s the best way to help you configure the automated scanner to cover and check the entire website.
No Responses to “活動”
Trackbacks & Pings
-
expert-ocenka.com.ua :
expert-ocenka.com.ua
“月”求中秋能`”逢圓”, 我求 親情 ,友情 , 天天似中秋情更圓。 祝大家中秋節快樂喔! – lucky小如的部落格












姐姐 元宵節快樂 “喔 !
拍拍手
願天神 保佑 你們!
漂亮喔!
漂亮ㄟ
是阿 雖然是小船 還是很美
希望他不再受苦了!
雖然贊成 “安樂死” ~ 但還是 好捨不得喔!
是啊 捨不得喔
測試
來串門子喔! 呵呵
歡迎喔
說的 真好 掌聲~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~啪~啪~
謝謝掌聲
愛情這件事,勉強不了, ❀ 住不進你心裡的人就放他走, 有緣就珍惜,無緣就放手吧
恩是啊!
故意的嗎? 呵呵
端午節快樂^_^
端午節快樂喔 !
我也祝妳母親節快樂喔!
母親節快樂喔!
生日快樂喔!
謝謝你 呵呵!
好棒喔! 以後去日本就快了
還是台灣好喔! 希望新 政府能好好保護台灣 不要有這樣的情形
我也這麼想喔!
測試 網頁 音訊 123123
測試 中 123123
全民買單 可憐 !
是啊! 雖然成功了 但是 還是 全民買單
是阿
好久不見喔 ! ****
下次應該去看看
是啊 ! 去看看 你的生日 鹽 顏色
ㄚㄚ測試 阿姐你有看到嗎?
有 謝 囉 呵呵
只能在這PO
我回你可以看到嗎?
喔喔
哈哈
勿以善小而不為!!聚沙成塔~~每個人都可以發揮愛心~讓地球充滿了愛~~
是 啊! 每個人都可以發揮愛心~讓地球充滿了愛~
走吧~揪團一起去~~
招 你女朋友 一起去 呵呵 我們在旁邊看
哈哈 人家在是結婚ㄋ
不錯!
我傳給你的有收到嗎?
OK囉!
很美
下次經過去買喔!
真的歡迎你!
是喔! 為何?
因為把設定設隱藏 囉
差一點 不能留言
888可以教教我 如何做漂亮圖嗎?
我想 問如何加入? 都是英文