Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Web Application Security Testing

by ghenry (Vicar)
on Sep 17, 2005 at 22:28 UTC ( #492932=perlmeditation: print w/replies, xml ) Need Help??

Dear Master Monks,
What techiques and tools do you employ when testing your wep applications for security?

I am currently researching techniques/tests for securing an application we are working on (which I think can be applied to any language, and not just Perl) and I think I have found the Top Ten most common methods of breaching security, as listed by the Open Web Application Security Project, namely:

  1. Unvalidated Input
  2. Broken Access Control
  3. Broken Authentication and Session Management
  4. Cross Site Scripting (XSS) Flaws
  5. Buffer Overflows
  6. Injection Flaws
  7. Improper Error Handling
  8. Insecure Storage
  9. Denial of Service
  10. Insecure Configuration Management

A few of my random thoughts:

There are a few techniques listed in An Introduction to Security Testing with Open Source Tools, but I am pretty sure most of you must have been involved with doing this at some stage, and could give me some pointers?

So, my parting question is, "Where do I start?"


Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a Just ask!!!

Replies are listed 'Best First'.
Re: Web Application Security Testing
by eyepopslikeamosquito (Bishop) on Sep 18, 2005 at 01:33 UTC
Re: Web Application Security Testing
by collin (Scribe) on Sep 18, 2005 at 05:21 UTC
    IMO nmap and Nessus should be included if this is to be a generic assessment as these are two of the most popular tools that attackers use. This is a good idea even if you have rolled your own web application because you want to have all the information that an attacker would. In addition, since this is PerlMonks someone has to mention libwhisker.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://492932]
Approved by castaway
Front-paged by skx
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (7)
As of 2022-10-06 13:00 GMT
Find Nodes?
    Voting Booth?
    My preferred way to holiday/vacation is:

    Results (26 votes). Check out past polls.