Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Web Application Security Testing

by ghenry (Vicar)
on Sep 17, 2005 at 22:28 UTC ( #492932=perlmeditation: print w/replies, xml ) Need Help??

Dear Master Monks,
What techiques and tools do you employ when testing your wep applications for security?

I am currently researching techniques/tests for securing an application we are working on (which I think can be applied to any language, and not just Perl) and I think I have found the Top Ten most common methods of breaching security, as listed by the Open Web Application Security Project, namely:

  1. Unvalidated Input
  2. Broken Access Control
  3. Broken Authentication and Session Management
  4. Cross Site Scripting (XSS) Flaws
  5. Buffer Overflows
  6. Injection Flaws
  7. Improper Error Handling
  8. Insecure Storage
  9. Denial of Service
  10. Insecure Configuration Management

A few of my random thoughts:

There are a few techniques listed in An Introduction to Security Testing with Open Source Tools, but I am pretty sure most of you must have been involved with doing this at some stage, and could give me some pointers?

So, my parting question is, "Where do I start?"


Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a Just ask!!!

Replies are listed 'Best First'.
Re: Web Application Security Testing
by eyepopslikeamosquito (Chancellor) on Sep 18, 2005 at 01:33 UTC
Re: Web Application Security Testing
by collin (Scribe) on Sep 18, 2005 at 05:21 UTC
    IMO nmap and Nessus should be included if this is to be a generic assessment as these are two of the most popular tools that attackers use. This is a good idea even if you have rolled your own web application because you want to have all the information that an attacker would. In addition, since this is PerlMonks someone has to mention libwhisker.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://492932]
Approved by castaway
Front-paged by skx
[Eily]: It can also be used to force a copy, and remove magic from a variable
[Eily]: there was a post some time ago about variable coming from regex taking more space than the same string defined directly IIRC
[Eily]: and if there's XS, make sure the scalar holds a string representation, that sounds like bad practice though (forcing that on the call side)
[choroba]: You should never pass $1 without double quotes to a sub
[choroba]: or "I should never", at least
[choroba]: that's not the sub's business

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (8)
As of 2018-02-22 17:16 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (296 votes). Check out past polls.