| |
Services
Web security training
The ultimate aim of Extreme In Security is to train students towards mastery
in web security analysis and testing. Our agents perform two main types of web
testing. We recommend that students perform the same types of testing on our web
site as well:
- Web Server Testing - Readily
available tools such as Nikto, Parosproxy, WebSleuth are used which
automatically scan web sites for known vulnerabilities on the click of a
button or a single command. For example, nikto is a Perl script that when
executed with the web site as an argument, automatically performs numerous
checks on the server. Similarly, ParoxProxy is a Java based GUI which when
allowed as a proxy in between the browser and web site, allows users to
choose the analysis option to analyze the web site and outputs potential
vulnerabilities with ratings.
- Web Application testing - This
consists of testing the security of the applications residing on the server.
In particular, they are tested for the existence of poorly coded scripts
which can allow for server-side code injection attacks and XSS (Cross-site
scripting) attacks. The concept behind both is the same: If there is an
input facility provided through the script (such as a text box) which does
not check for the size and content of the input, then malicious inputs
such as commands separated by semi-colon, javascript that redirects browser
to an attacker maintained site with the cookie belonging to another site can
be sent to the application causing undesirable effects such as shell prompt
access of the web server or illegitimate access through a stolen cookie. The
procedure to test applications for these vulnerabilities is to perform code
reviews, testing applications by giving input corresponding to known attack
forms, and scanning code using automatic code analyzers such as RATS.
[Back] [Home}
|