html security profiling tools [closed]
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered 开发者_JS百科with facts and citations.
Closed 2 years ago.
Improve this questionI am developing a site and i am using yslow to profile speed and stats, webdeveloper for html and css validation, etc.
What can i use to check for security mistakes?
For security I recommend the open source wapiti or the commercial Sitewatch.
On a side note, html and css can't really cause security problems. Maybe if you have html links pointing to http content within https could be a problem and Sitewatch will inform you of of these problems.
Review this list.
Obviously what is relevant is your server-side language (so you may want to scan from the WEB side and then an analysis of the server code as well).
This is a significant field of work and research. It's good that you want to perform this type of analysis, and enjoy reviewing and testing all the various available tools :)
You can use free tools like Netsparker Community Edition or Skipfish
You can also refer to this list of free and commercial web app security scanners: http://projects.webappsec.org/w/page/13246988/Web-Application-Security-Scanner-List
Depending on the size of your site you could possibly use a tool called Fortify. It will scan your code for security vulnerabilites. I am sure there are other tools which are similar.
I assume you are familiar with OWASP Top 10 (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). You can try rat proxy (http://code.google.com/p/ratproxy/) - it is a security audit tool. Other http/https proxies such as paros also can to some extent detect injection and XSS flaws.
None of these is perfect and so with a good understanding of web application vulnerabilities you can supplement with some manual tests and code inspection.
精彩评论