Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Can anyone recommend automatic web security testing tools? We have a large web site written in Perl and I'm supposed to start looking for flaws. I see plenty of problems, such as no taint checking and very little input validation, but if there are any automated tools that can point out new things to me, that would make my life much easier. tia

Replies are listed 'Best First'.
Re: Web Security Tools?
by hsinclai (Deacon) on Jun 03, 2004 at 21:45 UTC
    OWASP.org .. they have a free local java proxy which allows you to do a number of things, including inject headers and other content into the transactions..

    That still requires manual labor, and time.

    If the site is really insecure, nessus might reveal some flaws .. they've got plugin categories, might want to check the CGI family here
    Nessus plugins by family

[reply]
Re: Web Security Tools?
by neniro (Priest) on Jun 03, 2004 at 22:28 UTC
    You can use nessus to scan for common CGI vulnerabilities. On packetstormsecurity.org are a lot of CGI related tools. Use with care.
[reply]
Re: Web Security Tools?
by tomhukins (Curate) on Jun 04, 2004 at 08:31 UTC

    Although its not an automated tool itself, WWW::Mechanize allows you to develop site testing tools quickly. HTTP::Recorder helps you generate mech scripts which you can modify to repeat queries with different parameters.

    You might modify the parameters sent to be empty, include non-ASCII characters, or use the quote (') and backtick (`) characters to check for SQL and shell escaping, respectively.

    If you have access to the source itself, note the errors thrown by enabling taint checking and consider how you might exploit them. Automated tools generally work against a server, but you can look through the source itself - usually a richer source of ideas.

[reply]
      You might modify the parameters sent to be empty, include non-ASCII characters,
      Add the NULL "\0" value to that list. It might upset some programs that do string handling in C. But then, if the OP had Taint checking on (and used it sensibly), it'd be extremely unlikely that anything like that got through.

      davis
      It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.
[reply]

Back to Seekers of Perl Wisdom