Website and Web Server Security TestingPosted by SecurityAuditTeam on Jan 25, 2016 in Security Blog • No comments
If you had ever wondered how we go about some of our work relating to both Web Site and Web Server testing, here’s how:
Security Audit would normally first of all examine your websites individual pages, your applications and your web servers to identify any security weaknesses and vulnerabilities which may provide hackers with an opportunity to cause problems.
Analysing your web assets for free?
For a free scan all we need to know from you is your domain name, this is all it takes for us to get started. With these details we can analyse your web assets, you then receive a report containing various recommendations showing where you need to implement changes to improve your security. Website security issues are rapidly identified with recommended actions provided including suggested further routine tests which will keep your web infrastructure safe and secure.
What type of things do our full security tests assess?
Our full service provides a full website security check that will test the entire website using a variety of different attack methodologies, ranging from MySQL/database attacks to DNS poisoning attacks.
- We use real world ‘no previous knowledge’ attack techniques.
- Our security engineers conduct a ‘fingerprint’ style analysis of your server and pages.
- We will master you websites structure and identify compromising information.
- A variety of ‘fuzzing’ suites and manual auditing practices will be performed by our expert coders.
- Exploits will be selected based on our findings and the code executed against your website.
When we carry out a web site security test we will often scan your hosting environment and hardware equipment first, then we then move on to the individual website pages in turn.
We will be looking for obvious things such as already known code vulnerabilities and potential exploits but also for other less obvious issues such as the following:-
- Remote File Inclusion
- SQL Injection
- PHP/ASP Code Injection
- XSS (Cross Site Scripting)
- File Disclosure
- Directory Traversal
- Certain unmentionable issues and methodologies based around them!
If Security Audit Systems performs regular scans of your website and its pages then you will have the added peace of mind that it is as secure as possible. This is especially important for businesses and organisations that rely on their web site for revenue, such as Ecommerce and online retail sites as well as sites with valuable data.
What does the security assessment report include?
Our reports provide a rated risk level for each identified problem and provide the right solution to get the problem rectified. The report, although detailed, is relatively easy to digest and contains a list of straightforward actionable items, simply put. If you would prefer to pass the report on to your technical infrastructure administrator then it would provide them with a list of actionable information.
In overview, this is how it works:
- Initial Port Scan. Security Audit will first of all investigate all of the services on all the ports on your web servers (FTP, web, mail, Exchange and SQL) and your firewall. We will find your open ports and then detect what services are running on those open ports.
- Initial overall Vulnerability Scan. At every open port we find we will identify all of the services present and also determine how it has been configured. The configurations and services that are identified will then be compared to our database of thousands of known vulnerabilities. Should we then detect a potential vulnerability, we will actively test it in order to identify whether or not a weakness exists with it.
- Web Site Scan of all pages. Our tools will crawl each page of your site in turn, testing every possible entry point for each family of security risks that we know of. Our probing tools provide the most advanced automated testing for Cross Site Scripting, also known as XSS, and SQL injection identification available today.
- Other advanced methods. We use certain advanced techniques that we keep to ourselves, for obvious reasons, but you will benefit from these and see the results.
- Our Report. The detailed report that we generate lists all of the risks identified by severity level. These will include bug fixes, solutions and further information on what you need to do. Useful advice on how to stay secure is also included. Furthermore, your overall ‘grade’ is shown which you can compare week by week or month by month to monitor the progress of your work to remove the identified risks.
The report also allows you to evaluate your web hosting provider’s service in terms of its security risks. In this way, if you are using a poor service, you can either request that they make changes or move your website to another hosting provider.
If you would like to start the process of improving your websites and webs servers security then start by using our free basic scan service here.
If you need more detailed information regarding your vulnerabilities, carried out by an expert coder, then go here for a full assessment!
You will receive an identical vulnerability assessment to the one that we supply to large organisations and corporations. The equipment that hosts your site is also vital to its security and often provides hackers with a way in. Even with the most carefully crafted coding within your website, if the infrastructure is vulnerable, then your site has a major security risk.