Web Application Security Testing with Samurai

Web site vulnerabilities often occur in very non-obvious ways. Whether you're a Web developer or run a Web site, you need to understand how it's done and how to test your site.
Conclusion

Although useful, penetration testing is only part of the picture. To truly address these risks, applications must be designed, implemented and deployed with security in mind. Code analysis tools are helpful in locating places where application code deals with user inputs, so the code can be audited for input validation, strong output encoding and safe quote handling. Careful deployment using the principle of least privilege and employing chroot jails can help minimize the damage attackers can do if they gain access to your application. Never allow your database or Web server process to run as the root user.

Hopefully, this article can serve as a jumping off point to help you approach Web application security from a more active point of view, but there are many exploits and aspects of these two specific exploits that aren't covered here. For further reading, see the OWASP Wiki at www.owasp.org.

Acknowledgement

Special thanks to Adrian Crenshaw from irongeek.com, the author of our example application, Mutillidae. Mutillidae is a Web application designed to be deliberately vulnerable to the OWASP top ten in an easy-to-understand form for education purposes. Check out his site for some excellent resources on Web application security.

Jes Fraser is an IT Consultant from Open Systems Specialists in New Zealand. She's passionate about promoting open source and Linux in the enterprise.

______________________

static const char *usblp_messages[] = { "ok", "out of paper", "off-line", "on fire" }; Previously known as Jes Hall (http://www.linuxjournal.com/users/jes-hall/track)

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I think web applications

kerosen's picture

I think web applications should be througly tested for security testing. Any penetration in web application or server can lead to loss of important data as well company revenue.

In our company we are not concentrating more on securtiy testing, i have pointed this out to my lead and he is convienced now.

You can set aside some fix test plan time for security testing of web application.

I would also love to see detailed article on SQL injection..

-----------------------------------------
Roy Mendez from curse de cai

I wonder what the trade off

Anonymous's picture

I wonder what the trade off is between security and usability

web scanner best solution again applications vulnerabilities

didier's picture

Thanks, The only way to combat the Web application security threat is to proactively scan websites and Web applications for vulnerabilities and then fix them. Implementing a Web application scanning solution must be a crucial part of any organization’s overall strategy. we had a good experience with http://www.gamasec.com they have a good free trial and the reporting and users control panel are freindly and easy to work with.

So for the next time you can had a new good web scanner from http://www.gamasec.com

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix