I have implemented secured login and signup in my website.It working.Now I want to test it.I am not sure how to test whether it is correctly secured.
+1
A:
If you want to test whether it breaks when used with SSL, you could easily test drive it by downloading and installing OpenSSL, follow this tutorial to create a self-signed certificate with OpenSSL, install your newly created certificate on your web server (Apache, if you are using LAMP or XAMPP) and finally restart your web server. Now you have SSL ready to be used, try to use your login form via https:// and see what happens. If a web browser like Firefox complains about your certificate, tell it to create an exception.
That is how you can test it over SSL, but as for the "whether it is correctly secured", things get harder. Make sure you have at least taken care of:
- Session fixation
- Cross-site scripting
- Secure password storage (hashing)
- SQL injections
- Protecting against brute forcing with throttling or using CAPTCHAs
Kai Sellgren
2010-04-21 09:34:34
A:
This depends what the website is made of, for instance if it's using Apache or if it's an home-grown server.
- Verify the site is only accessible via HTTPS (if this is what is wanted)
- Test an access via HTTP - verify behavior is as expected (could be redirection to HTTPS, error page or warning message ...)
- Try to access the site without going thru the login page (i.e. forging URL)
- Open a session, try to access it from another client without logging in.
- Test for "obvious" passwords (test/test, admin/admin)
- Verify you cannot login without empty username/password
- Verify one cannot access the private key of the system
- Verify one cannot access all files of the system (eg http://website.address/../../../../etc/passwd)
- ...
You can also use a website security test suite, see this list by insecure.org, there are commercial products and free/open source tools.
IMHO, you should not try to test SSL, as this is a third-party tool.
philippe
2010-04-21 09:52:18