Website Security in 60 Seconds
Sunday, October 19, 2008

OK, maybe 5 minutes not 60 seconds. You've just finished getting a site developed or maybe you're thinking about ordering something online. You're curious as to whether the site is full of security holes. Here I'll discuss the intuition I've developed in assessing sites over the years. These are general indicators to watch out for that usually go hand in hand with security problems. They are all easy to spot and don't require any technical skills to speak of.

Mickey Mouse Look and Feel
This one is touchy-feely, but has never let me down. I can generally tell 2 minutes into an assessment whether the site is going to be full of holes. If the site looks like it was thrown together by a teenager on summer break, chances are there will be problems a-plenty.

Spurious Errors
If you're casually browsing the site and encounter detailed error messages which make no sense to you, that's a problem. These error messages leak information about the internals of an application hackers will find useful. You can also try to evoke errors by entering data containing quote, semicolon, less-than/greater-tan, "../", or percent characters.

Number of Inputs
Does the application contain lots of forms? Every input to an application is another exposure. Sites with lots of forms or inputs are more likely to contain security problems.

Email Me My Password
If the site has a "send me my password via email" button or emails you a password after registration, pwnage.

Hidden Fields
Browse to the busiest pages in the site and view the HTML source by right clicking on the page. Do a quick search for "hidden", hidden fields are generally abused by developers and lead to security problems.

Login with Quotes
Try logging in with the password ' or 1=1 --. If the login succeeds or you see lots of errors there could be a problem. Don't try this one on a site that's not your own.

Setting Passwords
Try setting your password to your username or your username concatenated with "123". If the site allows you to do so, there will be pwnage.

These signs only provide a general idea of what you're working with. Most sites contain security problems and so the absence of these indicators does not imply that a site is secure.

Labels:

Posted byJason
at1:51 PM

0 comments

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)