Do you know your website is secure?
Recently, Hong Kong had multiple websites were successive successful intruded by hackers. Besides of upload the stolen information on the Internet, they also listed in detail throughout the intrusion process. From these incidents, we found that the hacker's attack technique was very systematic and skillful. They can identified the vulnerabilities of website and conducted an intrusion in a short period of time. These intrusion incidents aroused the public attention on the shortfall of website security.
Web Application Security
Although many companies deployed firewall and anti-malware software to protect computers within their network, it is not enough to secure their website. You have to pay attention to maintaining the software version and security patch level of the operating system and web applications. If the web application is in-house developed, you also have to conduct an application security test.
For web application security, there is an authoritative global security organization, OWASP (The Open Source Web Application Security Project) which focused on improving web application security research. They announced “The Ten Most Critical Web Application Security Risks 2013 (OWASP Top 10 - 2013)” report on Jun 2013.
The Ten Most Critical Web Application Security Risks 2013:
- A1 Injection
- A2 Broken Authentication and Session Management
- A3 Cross-Site Scripting (XSS)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A7 Missing Function Level Access Control
- A8 Cross-Site Request Forgery(CSRF)
- A9 UsingComponents with Known Vulnerabilities
- A10 Unvalidated Redirects and Forwards
The ranking no.1 is injection attack, an attacker exploits the input validation vulnerability and could execute unauthorized commands or queries. The common attack vector is SQL injection which allows to read or modify the database contents of website.
Assess Web Application Security
Due to the lack of resources, the general individual or SME websites do not have dedicated staff to maintain the security update of websites properly, and become prey of hacker. In view of this, we introduce the following free tools to help you to conduct an initial assessment of your website security level.
Note: All security scan must obtain an authorization from the site owner in advance.
Qualys free online scan
http://www.qualys.com/forms/freescan/website-scan
After completing online registration (Business email address is required for registration), you will receive 10 free online scan quotas. This tool is suitable for checking the public websites.
Figure 1: Scanning can be launched via Internet browser, no installation is required. Simply login and enter the URL or IP address to start scanning
Figure 2: The scan report lists out the location of identified security vulnerabilities and suggested solution
Netsparker Trial Version
https://www.mavitunasecurity.com/demo
After completing online registration, you will receive 15 days free trial license key. This tool is suitable for checking internal websites.
Figure 3: The software is required to install on Windows XP or later. After open the software, create a new scan task and type the target URL to start the scanning
Figure 4: The scan report lists out the location of identified security vulnerabilities and suggested solution
After complete the scanning, if there is vulnerabilities identified on your website. Please report to the webmaster or website production company and request them to fix the vulnerabilities follow the recommendation on the report.
For the more information on Web Security, please refer to HKCERT'sGuideline of Web Security
Share with