Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Web Application Security Testing

by ghenry (Vicar)
on Sep 17, 2005 at 22:28 UTC ( #492932=perlmeditation: print w/ replies, xml ) Need Help??

Dear Master Monks,
What techiques and tools do you employ when testing your wep applications for security?

I am currently researching techniques/tests for securing an application we are working on (which I think can be applied to any language, and not just Perl) and I think I have found the Top Ten most common methods of breaching security, as listed by the Open Web Application Security Project, namely:

  1. Unvalidated Input
  2. Broken Access Control
  3. Broken Authentication and Session Management
  4. Cross Site Scripting (XSS) Flaws
  5. Buffer Overflows
  6. Injection Flaws
  7. Improper Error Handling
  8. Insecure Storage
  9. Denial of Service
  10. Insecure Configuration Management

A few of my random thoughts:

There are a few techniques listed in An Introduction to Security Testing with Open Source Tools, but I am pretty sure most of you must have been involved with doing this at some stage, and could give me some pointers?

So, my parting question is, "Where do I start?"

Thanks
Gavin.

Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a yourname@perl.me.uk? Just ask!!!

Comment on Web Application Security Testing
Re: Web Application Security Testing
by eyepopslikeamosquito (Canon) on Sep 18, 2005 at 01:33 UTC
Re: Web Application Security Testing
by collin (Scribe) on Sep 18, 2005 at 05:21 UTC
    IMO nmap and Nessus should be included if this is to be a generic assessment as these are two of the most popular tools that attackers use. This is a good idea even if you have rolled your own web application because you want to have all the information that an attacker would. In addition, since this is PerlMonks someone has to mention libwhisker.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://492932]
Approved by castaway
Front-paged by skx
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (4)
As of 2014-07-13 23:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (252 votes), past polls