How to check website security?

Started by LatiasSoulDew October 29th, 2015 4:57 AM
  • 1730 views
  • 7 replies
Male
Seen February 27th, 2023
Posted July 28th, 2022
563 posts
12.2 Years
So I created a website and curious of how secure/vulnerable my website is. But I don't know what is the best way (or any good way) to check it, so I need senpai's help. Thank you. =)

Dter ic

Fire Emblem....HEROES

Age 26
Male
(Un)united Kingdom
Seen December 15th, 2018
Posted July 9th, 2018
741 posts
10.7 Years
You haven't said what kind of website it is or what software it's running so it's hard to give specific advice but the general rule of thumb is

1) Keep all software up to date, any security updates available you should install ASAP
2) Change all default passwords on software you've installed to something more secure (Mixed case, symbols numbers etc)
3) Keep regular backups of any databases and settings in case things go wrong
4) Check permissions so that users are only about to see and change things they should,

Melody

Banned

Female
Cuddling those close to me
Seen March 4th, 2018
Posted March 2nd, 2018
6,459 posts
18.6 Years
A website is properly secured when the following is true:

Client Security:
1. You are visiting via https://
2. Your respective browser did not throw any error messages regarding https, or certificates. Basically the browser should know what server it is talking to for certain
3. Your browser URL/STATUS bar contains no indicators stating that you are not connected securely. (There are some warnings, such as 'unsecure content' which don't really matter too much, but do impact the overall privacy of the connection)

Server side security is really about staying abreast of security vulnerabilities and keeping them patched shut by the above advice. Basically, don't run old software, don't use weak passwords, avoid vunerable programs, sanitize your user inputs so they can't upload exploits, ect. Ect.
Male
Seen February 27th, 2023
Posted July 28th, 2022
563 posts
12.2 Years
Thank you for all the advices, I will keep them in mind.

You haven't said what kind of website it is or what software it's running so it's hard to give specific advice
It is a dynamic website created using PHP and MySql database.

sanitize your user inputs so they can't upload exploits, ect. Ect.
For get and post variables, I escape them before putting them in Sql queries. Is escaping safe enough?
Male
Seen February 1st, 2018
Posted October 19th, 2017
625 posts
8.9 Years
For get and post variables, I escape them before putting them in Sql queries. Is escaping safe enough?
PHP's escaping functions are bad. They're so bad they had to deprecate mysql_escape_string and rename it mysql_real_escape_string, then they had to further deprecate that and rename it "mysqli_real_escape_string". If you're not using that last function, it is definitely not safe enough. You're probably better off using prepared statements, since it's the least crufty API.

Additionally, you need to escape content depending on how you're using it. For example, if you're taking user input and outputting into an HTML document, you need to escape the data to prevent XSS attacks.

If you have any user based actions you need to make sure you're protecting against CSRF attacks using a token. Also, for user accounts, make sure you're handling passwords correctly.

Your site is not secure if you have a valid HTTPS certificate. HTTPS only protects you against MITM attacks. While it is good to have, you shouldn't feel like you're safe because you have it. The main point of failure is always going to be your code, so make sure you're familiar with security best practises.

A Pokemon that is discriminated!
Support squirtle and make it everyone's favourite.
Male
Seen February 27th, 2023
Posted July 28th, 2022
563 posts
12.2 Years
Thanks a lot for the help, I learned many things from your post.

For example, if you're taking user input and outputting into an HTML document, you need to escape the data to prevent XSS attacks.
This sentence alone taught me what XSS attack is. Tried this:
"><script>window.location="http://google.com";</script>
And bam, welcome to google.com.

My site is not secure at all..
Male
Seen February 1st, 2018
Posted October 19th, 2017
625 posts
8.9 Years
Thanks a lot for the help, I learned many things from your post.


This sentence alone taught me what XSS attack is. Tried this:
"><script>window.location="http://google.com";</script>
And bam, welcome to google.com.

My site is not secure at all..
No problem.

I recommend reading OWASP, as it has some very helpful articles on web security. It might help you find other holes your knowledge.

A Pokemon that is discriminated!
Support squirtle and make it everyone's favourite.