I'm starting a new site using php and mysql. i would like to assess the security of my site before it goes live. Does anyone have suggestions to check for vulnerabilities. I once remember using hackersafe to do an assessment, however, i have not been working with sites lately that require security
Hello. Some time ago I wrote a tutorial about "Finding vulnerabilities in PHP scripts". You can find it here: http://milw0rm.com/papers/381 Code (markup): I tried to cover a large area of vulnerabilities, anyway I covered all the important vulnerabilities that can be found in PHP web applications. Also, I explained how to secure each vulnerability. I think it is what you want, if you have any questions just ask me.
There are plenty of applications that check website security such as "Nessus" and "Acunetix." Also there are alot of people offering security services, look for them. In the other hand, you can test it yourself, just search articles about website security they might give you good results.
There are many ways to check this, you can use programs, scripts, and actually run vulnerabilities on your own site to test it's security, or you can pay someone to do it, If you are willing to pay someone and you are willing to prove ownership I can help you.
There are plenty of methods that can be used to hack a website but most common are: SQL Injection XSS (Cross Site Scripting) Remote File Inclusion (RFI) Directory traversal attack Local File Inclusion (LFI) DDoS Attack
i can tell you how to defend youself against all of this bullshit listed here. DDoS attack is NOT HACKING to defend yourself from it is simple, GET A SWITCH BOARD! if you don't have direct physical access to the server, than their is nothing you can do about it, other than not use free DNS servers. LFI, well that's a no brainer, don't screw around with your configuration, and do NOT use the original file names that people upload with, generate some based on an ID number or time-stamp, it's very easy to do. DTA, well you honestly have to have no idea what your doing if this is an issue for you. RFI, again, same as DTA; just don't import remote files to your server. XSS, php's htmlentities function should fix that for you. SQLi, simple, check for magic quotes, and then mysql_real_escape_string, or better yet! intval! if your really concerned about getting hacked, than learn to hack.
And you are SO sure that these basic simple precautions will ultimately defend you from these or other types of attacks? At best it will keep away a lazy beginner who's looking for dead easy holes.
I think that's what he was saying, that the above listed "most common types of attacks" are easily prevented, and aren't really what you need to worry about. I think he said it best with, "if your really concerned about getting hacked, than learn to hack."