用于扫描漏洞网站的工具
[英]Tool for Scanning Website for Vulnerabilities
问题描述
I've seen several questions on SO about this, but none of them quite fit what i'm looking for. 
我已经看到了SO这个几个问题,但他们没有很适合我要找的。 I've got an ASP.NET Site on my machine that i recently finished, but i'm a little worried about Security. 我的机器上有一个ASP.NET站点,我最近完成了,但我有点担心安全性。 I'm pretty sure I've managed it pretty well, but there's always an offchance i've missed something. 我很确定我已经很好地管理了它,但是总有一些事情让我错过了一些东西。
So, I'm looking for a tool that meets the following reqs 所以,我正在寻找满足以下要求的工具
- Scans a locally hosted (as in, on the same machine as the tool) website for vulnerabilities 扫描本地托管(与工具在同一台计算机上)网站上的漏洞
- Can be installed (ie, no web based stuff) 可以安装(即没有基于web的东西)
- (elaborating on #1)... tests ASP.NET (Web Forms, but MVC would be nice too) for SQL or XSS problems. (详细说明#1)...测试ASP.NET(Web窗体,但MVC也不错)用于SQL或XSS问题。 (I figure XSS is hard to test, but SQL injection should be easier to find) (我认为XSS很难测试,但SQL注入应该更容易找到)
Thanks! 谢谢! Lemme know if i'm not specific enough or if this is better suited for Webmasters SE. Lemme知道我是不是足够具体或者是否更适合网站管理员SE。
1 个解决方案
解决方案1
2 已采纳 2011-05-19 09:43:34
There are a few scanning tools around, some of which are open source, which is nice. 有一些扫描工具,其中一些是开源的,这很好。 The exploits you are talking about are technology agnostic - any app could suffer from them regardless of whether it's .net, java, ruby, etc. This makes testing for them slightly easier. 你所谈论的漏洞是与技术无关的 - 任何应用程序都可能受到它们的影响,无论它是.net,java,ruby等。这使得对它们的测试稍微容易一些。 Also, SQL injection and XSS bugs are usually application specific, which makes automagically testing for them harder. 此外,SQL注入和XSS错误通常是特定于应用程序的,这使得对它们的自动测试更加困难。
The best thing you can do is not be worried about security, but take specific steps to address issues. 您可以做的最好的事情不是担心安全性,而是采取具体步骤来解决问题。 Security should always be designed into your application. 应始终将安全性设计到您的应用程序中。 So carry out a code review on your app. 因此,请在您的应用上执行代码审核。 Look for specific things. 寻找具体的东西。
- Do you have any in-line SQL? 你有任何内联SQL吗? Do you modify it any way? 你有没有修改过它? Are you using parameters? 你在使用参数吗?
- Are you escaping any user input before you use it? 您在使用之前是否逃避了任何用户输入?
The above 2 steps will eliminate most SQL injection/XSS bugs. 以上两个步骤将消除大多数SQL注入/ XSS错误。 There are other issues to do with your server setup. 您的服务器设置还有其他问题。 Vulnerability scanning tools usually know most of these and can test for them. 漏洞扫描工具通常了解其中的大多数并可以对其进行测试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.