Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
jobs.webdeveloper.com
e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


Securing PHP Web Applications

Proprietary Exploit Testing Tools for PHP Web Apps

Bookmark and Share

August 20, 2009

In the last part of our series on PHP security exploit testing we'll look at some of the proprietary testing tools out there.

Excerpted from Securing PHP Web Applications. By Tricia Ballad and William Ballad. ISBN: ISBN-10: 0-321-53434-4, ISBN-13: 978-0-321-53434-7, Copyright 2009. Used with the permission of InformIt.

Proprietary Test Suites

Several proprietary test suites are available for security testing. For most individual programmers, they are prohibitively expensive, but if you are responsible for the security of a small business Web site—especially if that business is part of a regulated industry—or your Web site is particularly attractive to hackers, they can be worth the cost. In this section, we’ll discuss the benefits of using a proprietary test suite instead of an open-source testing toolkit, and we’ll walk through one of the more commonly used test suites available.

Benefits and Features of a Proprietary Test Suite

There are a few basic benefits to using proprietary test suites:

  • It’s convenient to have all your testing tools in one place, under one interface. Proprietary test suites can be lot easier to use than the open-source alternatives.
  • The security testing is automated, running in the background 24 hours per day, and the tool notifies you if anything on your Web site or application changes.
  • Proprietary tools are constantly updated against industry-standard exploit databases, so you know that the attacks they simulate against your application are based on real-world exploits.
  • They comply with government regulations covering security audits and reporting.

These tools are built for small businesses and public-sector and enterprise-level customers. To demonstrate the features common to most proprietary security test suites, we’ll use the Acunetix Web Vulnerability Scanner, available from http://www.acunetix.com. It is a Windows-based application, so you’ll need Windows 2000, 2003 Server, XP, or Vista to run it.

Most proprietary test suites include the same features. The ones that are going to be most useful to you are

  • Automated scanning for a variety of attacks, including SQL injection, cross-site scripting, and buffer overflows
  • Advanced reporting capabilities
  • Penetration testing tools, including a fuzz tester and a tool to craft custom HTTP headers

In the next section, we’ll demonstrate an automated scan for vulnerabilities.

Using a Proprietary Test Suite to Scan Your Application

Automated scanning for vulnerabilities tests your entire Web site or application for a variety of exploitable vulnerabilities. We’re using the Acunetix Web Vulnerability Scanner to demonstrate, but any of the proprietary test suites will have a similar tool.

Before you can launch the scan, you’ll have to install the application. You can obtain a demo version of the tool from the Acunetix Web site. The installation is done through a typical Windows install wizard, so we won’t go through it step by step. Once you’ve installed the application, you’ll see the testing interface, as shown in Figure 15.28.



Click here for larger image
Figure 15.28 - The Acunetix Web Vulnerability Scanner testing interface.

To launch the automated scan, click the New Scan button, as shown in Figure 15.29.



Click here for larger image
Figure 15.29 - Click the New Scan button.

The Scan Wizard will open, giving you the opportunity to choose a scan type, as shown in Figure 15.30.



Click here for larger image
Figure 15.30 - Choose a scan type in the Scan Wizard.

Select the “Scan single website” radio button, enter the URL of your Web site in the text box, then click Next. This will bring up the Select Targets screen, as shown in Figure 15.31.



Click here for larger image
Figure 15.31 - The Select Targets screen.

This screen allows you to optimize the scan for your specific environment. Choose your Web server and scripting language, then click Next. This will bring you to the Crawling Options screen, as shown in Figure 15.32.



Click here for larger image
Figure 15.32 - Select Crawling Options.

On the Crawling Options screen, you can select a variety of options to control how the scan traverses your Web site. Click the checkboxes next to the options that define how you want the scanner to interact with your Web site, and click Next to bring up the Scan Options screen, as shown in Figure 15.33.



Click here for larger image
Figure 15.33 - The Scan Options screen.

On the Scan Options screen, you can test every directory in your site (which will cause a significant amount of traffic and slow down the test), choose the type of scan you want to perform, and specifically check for cross-site scripting vulnerabilities. Choose the options you want and click Next to bring up the Login screen, as shown in Figure 15.34.



Click here for larger image
Figure 15.34 - The Login screen.

Misc Tools
Introduction to Exploit Testing
Proprietary Exploit Testing Tools - Cont.

Up to => Home / Authoring / Tutorials / PHP



Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

Jupitermedia Corporate Info


Legal Notices, Licensing, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers