tags:

views:

68

answers:

4
+1  Q: 

html security profiling tools

I am developing a site and i am using yslow to profile speed and stats, webdeveloper for html and css validation, etc.

What can i use to check for security mistakes?

+2  A: 

Review this list.

Obviously what is relevant is your server-side language (so you may want to scan from the WEB side and then an analysis of the server code as well).

This is a significant field of work and research. It's good that you want to perform this type of analysis, and enjoy reviewing and testing all the various available tools :)

Noon Silk  2010-02-11 10:55:53
A: 

Depending on the size of your site you could possibly use a tool called Fortify. It will scan your code for security vulnerabilites. I am sure there are other tools which are similar.

Zaps  2010-02-11 12:18:08
Sorry but fortify is not for web apps.
Rook  2010-02-11 17:52:51
+2  A: 

For secuirty I recommend the open source wapiti or the commercial Acunetix. Acunetix will tell you about broken links, but it won't tell you if you have problem with HTML.

On a side note, html and css can really cause secuirty problems. Maybe if you have html links pointing to http content within https could be a problem and Acunetix will inform you of some of these problems.

Rook  2010-02-11 17:54:40
what do you mean by "html and css can really cause security problems" ? Are you talking about allowing user html and css? i can see html causing a problem but not css.
acidzombie24  2010-03-01 11:55:12
actually you can execute javascript within css, so that is still a problem. HTML isn't an issue but, `<script>` tags are. You can also use onload= and onmouseover= to do nasty things with other html tags. By in large filtering `<>` is a very good idea.
Rook  2010-03-01 14:44:17
html can be a problem if you link to http resources from an https page. browsers will throw an warning and acuentix will detect this.
Rook  2010-03-01 14:46:37
A: 

I assume you are familiar with OWASP Top 10 (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). You can try rat proxy (http://code.google.com/p/ratproxy/) - it is a security audit tool. Other http/https proxies such as paros also can to some extent detect injection and XSS flaws.

None of these is perfect and so with a good understanding of web application vulnerabilities you can supplement with some manual tests and code inspection.

mar  2010-02-12 17:04:33

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?