1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

how to find vulnerabilities on site

Discussion in 'Security' started by bmpt87, Apr 12, 2010.

  1. #1
    I'm starting a new site using php and mysql. i would like to assess the security of my site before it goes live. Does anyone have suggestions to check for vulnerabilities.

    I once remember using hackersafe to do an assessment, however, i have not been working with sites lately that require security
     
    bmpt87, Apr 12, 2010 IP
  2. SirGod

    SirGod Peon

    Messages:
    11
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Hello. Some time ago I wrote a tutorial about "Finding vulnerabilities in PHP scripts". You can find it here:

    http://milw0rm.com/papers/381
    Code (markup):
    I tried to cover a large area of vulnerabilities, anyway I covered all the important vulnerabilities that can be found in PHP web applications. Also, I explained how to secure each vulnerability.

    I think it is what you want, if you have any questions just ask me.
     
    SirGod, Apr 13, 2010 IP
  3. maestria

    maestria Well-Known Member

    Messages:
    705
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    110
    #3
    may be you can check the security using softwares like accuntix
     
    maestria, Apr 18, 2010 IP
  4. proxywhereabouts

    proxywhereabouts Notable Member

    Messages:
    4,027
    Likes Received:
    110
    Best Answers:
    0
    Trophy Points:
    200
    #4
    Try Nessus. It will scan your system for any vulnerabilities.
    www.nessus.org
     
    proxywhereabouts, Apr 18, 2010 IP
  5. Actaviosan

    Actaviosan Guest

    Messages:
    216
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #5
    There are plenty of applications that check website security such as "Nessus" and "Acunetix."
    Also there are alot of people offering security services, look for them.
    In the other hand, you can test it yourself, just search articles about website security they might give you good results.
     
    Actaviosan, May 5, 2010 IP
  6. ryan1918

    ryan1918 Active Member

    Messages:
    668
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    60
    #6
    There are many ways to check this, you can use programs, scripts, and actually run vulnerabilities on your own site to test it's security, or you can pay someone to do it, If you are willing to pay someone and you are willing to prove ownership I can help you.
     
    ryan1918, May 5, 2010 IP
  7. carolynccourtney

    carolynccourtney Greenhorn

    Messages:
    96
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    18
    #7
    There are plenty of methods that can be used to hack a website but most common are:

    SQL Injection
    XSS (Cross Site Scripting)
    Remote File Inclusion (RFI)
    Directory traversal attack
    Local File Inclusion (LFI)
    DDoS Attack
     
    carolynccourtney, Sep 3, 2011 IP
  8. hotnoob

    hotnoob Member

    Messages:
    96
    Likes Received:
    2
    Best Answers:
    1
    Trophy Points:
    28
    #8
    i can tell you how to defend youself against all of this bullshit listed here.

    DDoS attack is NOT HACKING
    to defend yourself from it is simple, GET A SWITCH BOARD!
    if you don't have direct physical access to the server, than their is nothing you can do about it, other than not use free DNS servers.

    LFI, well that's a no brainer, don't screw around with your configuration, and do NOT use the original file names that people upload with, generate some based on an ID number or time-stamp, it's very easy to do.

    DTA, well you honestly have to have no idea what your doing if this is an issue for you.

    RFI, again, same as DTA; just don't import remote files to your server.

    XSS, php's htmlentities function should fix that for you.

    SQLi, simple, check for magic quotes, and then mysql_real_escape_string, or better yet! intval!

    if your really concerned about getting hacked, than learn to hack.
     
    hotnoob, Sep 7, 2011 IP
  9. veltmanis

    veltmanis Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9

    And you are SO sure that these basic simple precautions will ultimately defend you from these or other types of attacks? At best it will keep away a lazy beginner who's looking for dead easy holes.
     
    veltmanis, Nov 19, 2012 IP
  10. cfomodz

    cfomodz Member

    Messages:
    57
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    28
    #10
    I think that's what he was saying, that the above listed "most common types of attacks" are easily prevented, and aren't really what you need to worry about.

    I think he said it best with, "if your really concerned about getting hacked, than learn to hack."
     
    cfomodz, Nov 24, 2012 IP
  11. bluebios

    bluebios Greenhorn

    Messages:
    10
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #11
    Acunetix is best to test for securities.But if you want to test php,go for nessus
     
    bluebios, Dec 9, 2012 IP