Hello, my name is Alfred. I'm new in here and i found this forum at the internet.
btw, how can i test the security the website?? is there any tools that people are likely to use to test it?? if there are a tools, could anybody tell me the tools name? thanks.
i read the article about the security website in here. http://cuit.columbia.edu/files/cuit/websecuritysoe.pdf
i really need that tools now. anybody can help?
Alfred, welcome to OWASP! There are many different ways to test the security of a website, but it typically breaks down into two categories: 1) Static Analysis and 2) Dynamic Analysis.
Static analysis assumes that you have access to the source code and are able to analyze it directly for vulnerabilities at the code level. There are a few freebie solutions for source code analysis, but they're mostly focused around coding bugs and not specifically security vulnerabilities. Check out FindBugs or PMD for that. There's a bunch of companies that provide good not free tools for static analysis as well. I'm not going to name names in a public forum as inevitably someone will call me out on forgetting something, but I'm happy to take that conversation offline.
Dynamic analysis has to do with interacting with the actual running site and looking for vulnerabilities that way. It could be through some sort of proxy tool (WebScarab, BurpSuite, RatProxy, ZAP) where you manually interact with the portion of the site you are concerned about or through some sort of automated scanning tool that does the interactions for you. Plenty of paid tools out there for that, but where free tools are concerned, I'd check out w3af. One thing to note is that none of these tools will find business logic types of vulnerabilities. By nature, they really only deal with things that can be found by making a request and analyzing the response back.
Hi Josh. Dynamic analysis allow me to check the sql injection, the XSS, and etc?? w3af is a tool to check up the security of website?? i think i dont need the static analysis because im not allowed to see the source code.
Yes, dynamic analysis would allow you to check for SQL Injection and XSS. Not sure what etc would entail, but probably some etc too. ;-) w3af was a project to build a free dynamic application scanner and it was bought by Rapid7. I believe it's still free, but there's no telling where it will go from here.
Hi Josh. sorry for the late reply, I just wake up. w3af? okay.. I will googling for it now. btw can w3af generate a report from the result of the scanner?? thanks.. :)
If that helps, one manual way to analyse the security is to draw the Data FLow Diagram of the website and analyse at different levels what break could be.. just look from hackers eye after drawing DFD to how to break the website..