Extreme in Security Inc.


Services

 

Web security training

The ultimate aim of Extreme In Security is to train students towards mastery in web security analysis and testing. Our agents perform two main types of web testing. We recommend that students perform the same types of testing on our web site as well:

  1. Web Server Testing - Readily available tools such as Nikto, Parosproxy, WebSleuth are used which automatically scan web sites for known vulnerabilities on the click of a button or a single command. For example, nikto is a Perl script that when executed with the web site as an argument, automatically performs numerous checks on the server. Similarly, ParoxProxy is a Java based GUI which when allowed as a proxy in between the browser and web site, allows users to choose the analysis option to analyze the web site and outputs potential vulnerabilities with ratings.
  2. Web Application testing - This consists of testing the security of the applications residing on the server. In particular, they are tested for the existence of poorly coded scripts which can allow for server-side code injection attacks and XSS (Cross-site scripting) attacks. The concept behind both is the same: If there is an input facility provided through the script (such as a text box) which does not check for the size and content of the input,  then malicious inputs such as commands separated by semi-colon, javascript that redirects browser to an attacker maintained site with the cookie belonging to another site can be sent to the application causing undesirable effects such as shell prompt access of the web server or illegitimate access through a stolen cookie. The procedure to test applications for these vulnerabilities is to perform code reviews, testing applications by giving input corresponding to known attack forms, and scanning code using automatic code analyzers such as RATS.

[Back] [Home}

 

Send mail to dontcomment@extremeinsecure.org with questions or comments about this web site.
Copyright © 2007 Extreme In Secure Inc.
Last modified: 06/27/07