tags:

views:

77

answers:

3
+4  Q: 

Website script injection scan

Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)?

+1  A: 

You can't. Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser.
And your server doesn't have any control of what happens in your page anymore.

There is a simple way to protect your page from injection: place all the untrusted content using an iframe pointing on a different subdomain or port on your server.
You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.

Then you may want to communicate safely between the iframes and the main page.
If you target modern browsers or mobiles you can use window.postMessage to send string messages.
For older browsers, there are some tricks here is a blog post with a solution

This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.

Mic  2010-08-10 13:01:46
+1  A: 

It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).

There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).

By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).

Kartoch  2010-08-10 13:08:06
A: 

The StopBadware group offers a free scanning service. Google and Mozilla rely on this service for their "this site may harm your computer" warnings.

The scanning service is available here: http://www.stopbadware.org/home/reportsearch

Details on protecting your website are here: http://www.stopbadware.org/home/security

Ben Walther  2010-08-10 19:34:42

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security