Website Vulnerability Assessment & Testing
Is your website secure?
We scan for Cross Site Scripting (XSS), SQL Injection, and many more!
The server is not infinite. Vulnerability testing is the way to go to help protect your site. It needs to be carefully managed for its resources, to ensure the highest performance and operational efficiency. Your webserver is no exception to this rule.
After years of helping customers defend against DDoS attacks, we've had the opportunity to examine and analyze hundreds of websites, and discovered an alarming amount of vulnerabilities and inefficient coding. We've seen insecure web applications that were exposed by hackers, bringing sites down with just one web transaction. We've also seen webservers that could not deliver while under legitimate load due to something as simple as improper CSS and cache settings. And with the constant changes introduced by developers, managed hosting providers and website administrators, security holes and suboptimal web coding are almost guaranteed to appear over time and can then be exploited by Internet criminals and pranksters. Given that hackers are using TCP ports 80 and 443(SSL) to exploit website design flaws and vulnerabilities, hardware and cloud based application firewalls are not an effective defense against these tactics.
These vulnerabilities and poor coding can be used to cause extended outages, deface your website, redirect customers, steal data, or install malicious code on your visitor's computers!
That's why, as part of our fully managed DDoS Protection solution, DOSarrest is now offering an additional Internet security service, the Website Vulnerability Testing & Optimization (VTO) report. The report will intelligently crawl your whole site, identify insecure elements and applications, and report inefficient settings in your website code. With this collection of tools, we now have one of the most comprehensive tests available today that will pinpoint practically any vulnerability and design flaw your website may have, and be able to:
- Assist in securing web applications against vulnerabilities, by analyzing your site with the most advanced SQL injection and Cross Site scripting testing
- Check for industry information security compliance, such PCI/DSS, HIPAA, SOX, and many more
- Provide specific details on how to optimize caching (for a CDN or otherwise), minimize request overhead and payload size.
9 out of 10 websites will fail this report!
With this report, not only are you able to secure your site from the hackers of the world and avoid costly data theft or downtime, but you'll also be able to regain valuable compute power. This removes the need for costly hosting and/or infrastructure upgrades for your webserver (eg. A common reaction is to put hardware or cloud based firewalls in place to reduce server load; an expensive solution that is mostly ineffectual against application layer attacks). This saves you time AND money!
What the Report Tests for
Started in 9/9/2001 by Mark Curphey and Dennie Groves to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.
A technique often used to attack data driven applications. This is done by including portions of SQL statement in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. Used to steal data from organization, one of the most common application layer attack techniques used today.
Used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.
Is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction.
Sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
Sarbanes-Oxley Act of 2002, is US legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. SOX defines which records are to be stored and for how long.
Extensible Markup Language (XML) – This is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable
Simple Object Access Protocol (SOAP) – This is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks.
Find Search engine hacker holes before they do.
Properly controlling access to web content is crucial for running a secure web server. Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Testing the password protected area, we can simply say that we are able to detect weak or unencrypted passwords on password protected fares of the website.
Scan a website which used CAPTCHA or Single Sign on authentication methods, you have to record a Login Sequence using the Login Sequence Recorder, and mark the page for 'Manual Intervention'.
Software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
Pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application. Simple yet effective.
- Excessive external css
- CSS sprites
- Excessive external js
- Defer loading / parsing of js
- Compressing resources
- Browser caching
- Proxy caching
- Minimize redirects
- Optimize images
- Remove unused CSS
- Consistent URL's
Backed by Expert Security Operation Center
– You can have one of our security engineers walk you through the report and help your technical team plug any holes found and rerun the test to ensure everything on the website is secure as it can be. Regularly scheduled tests are the key to keeping your website secure.
With this report and our 24/7 expertise, you can ensure that even the most customized web servers is locked down tight.
- Testing starts at $2,000.00USD per test
- Re-testing at $200.00USD/scan
- DOSarrest customers receive a 50% discount on the above quoted prices
Click here to read our White Paper