tags:

views:

97

answers:

4
+3  Q: 

Web application security testing

Hi all,

We are developing a web application using Spring framework and Hibernate ORM. As far as application security is concerned we are using acegi to provide authentication and authorization support.

Now about user input sanitation, we have tried to take take care about attacks like XSS and sql injections. We have tried to use as much as prepared statements and hibernate criteria for database updates and queries. Inputs are sanitized for javascript also.

For testing these we have tried to use tools like Firebug, Tamper IEand Fiddler2 etc.

We have also used tools like Watch Mouse to do vulnerability tests.

What are the other tools available for web application security and what are the things to be considered before starting a web applications security testing.

Thanks you

+1  A: 

HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.

Getimoliver  2009-11-06 16:21:24
+1 for pessimism/negativeness.
Stefan Kendall  2009-11-06 16:44:47
A: 

You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.

The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.

Stefan Kendall  2009-11-06 16:29:50
Hiring and external team to test the application will be a better idea if you are not trying to develop a internal security testing team
Vivek Ananth  2009-11-06 16:41:32
The OP is an app developer, not a crack security-tester who makes staying latest with every possible exploit in various technologies his job.
Stefan Kendall  2009-11-06 16:44:16
A: 

Burpsuite is an amazing tool for web application testing.

I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.

Mr-sk  2009-12-24 16:03:04
A: 

You can use AppScan, but its not free.

Rajat  2009-12-24 16:05:11

related questions

How to prevent Iframe hack
Integrating authentication between a web app and desktop app
ASP.NET Authenticaion and Security with Session
Is this acceptable for passing a password?
Why can't an iframe set its parent's location.hash?
Anyone know of a free XSS penetration testing tool?
AntiSpam measures on websites
Implementing secure, unique "single-use" activation URLs in ASP.NET (C#)
Confusion with services and certificates with an anonymous client
Help me understand rails authentication w/r/t assets, like swfs.
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
Examples of SQL Injections through addslashes()?
How can I prevent bulk vulnerability scanning without using a CAPTCHA component?
What security issues appear when users can upload their own files?
Do Perl CGI programs have a buffer overflow or script vulnerability for HTML contact forms?
How to Start/Stop a Windows Service from an ASP.NET app - Security issues
How can I ensure that my web pages are not modified by end customer?
What is the best and safest way to store user email addresses in the database?
Main security concerns in allowing users embed video
Returning a password to the web user
Best practices for URL retrieval service? How to avoid being attack vector?
What conferences/training should an employer provide for a java/web team?
ASP.Net: Authentication via Browser's Login Window
Do you require deep packet inspection on a server-only firewall?
Storing parts of user data in files for preventing SQL injection