Website Security Analysis & Testing Tools
#1
Brick 
Below you will find a collection of online tools and websites that will help you to analyze the security of your site and run tests to find out what can be improved, what maybe is a fatal security risk and of course how the overall status of your site, server and setup is in terms of security.


Mozilla Observatory

Observatory by Mozilla is a service for web developers, system administrators and security professionals. It scans websites and analyzes their general setup such as TLS configuration, content policy and so on. It includes improvement suggestions and links to official guides/tips by Mozilla. In addition it uses other 3rd party tools (a list is available blow.

URL: https://observatory.mozilla.org/

Services used by Observatory:
- https://hstspreload.appspot.com/ (allows you to add your site into the global HSTS preloading list if you have HSTS configured on your server)
- https://securityheaders.io/ (runs an extended content and header check and includes suggestions and fixes for issues)
- https://tls.imirhil.fr/ (similar to SSLLabs - tests the TLS setup but does not include checks against known TLS vulnerabilities)


SSLLabs

SSLLabs by Qualys is a very advanced TLS setup analysis tool. It will make a complete test of your TLS setup including certificate chain, ciphers, OS/browser and device compatibility and it also has a great scanner for all known TLS vulnerabilities. In addition it also allows to scan clients like your browser for issues. This is a very helpful tool to find issues with your TLS setup and improve it.

URL for website/server checks: https://www.ssllabs.com/ssltest/
URL for web browser checks: https://www.ssllabs.com/ssltest/viewMyClient.html


Virustotal

Virustotal is a website that allows to scan files and websites online with over 50 antivirus engines by various companies including the best ones like Kaspersky, ESET, BitDefender and so on. It scans for viruses, trojans and also malware.

URL for website scanner: https://virustotal.com/#url

Below is a list of 3rd party tool used by Virustotal:
- https://quttera.com/ (a service to scan sites for viruses, trojans and malware)
- https://sitecheck.sucuri.net/ (a service to scan sites for viruses, trojans, malware and other issues/problems including blacklist checks)


Cipherlist

A website that includes the safest and best ciphers for TLS setups including intermediate ciphers to support older clients and still have a secure setup. It supports multiple web servers and even other software such as mail servers, ha proxies and so on.

URL: https://cipherli.st/


SSLDecoder

SSLDecoder was made by the same person that made Cipherlist. It is a very similar tool to SSLLabs and TLS.Imirhil. It does a certificate chain check, cipher check and so on.

URL: https://ssldecoder.org/


Mozilla TLS Configuration Generator

The TLS configuration generator by Mozilla is a tool to generate full TLS setup configuration code for various web servers with good ciphers and other useful TLS security features.

URL: https://freevps.us/thread-15446.html


Webinspector

Webinspector checks sites for various threats like drive-by downloads, viruses, trojans, malware, worms, backdoors, phising and much more.

URL: https://app.webinspector.com/



Do you know other good tools? Post them below with a little description and URLs.
#2
BrowserLeaks
Web browser security testing tools, that tell you what exactly personal identity data may be leaked without any permissions when you surf the Internet.
URL: https://www.browserleaks.com/

IPLeak
DNS leak test
URL: https://ipleak.net/
[Image: img.php?v1=1&userid=7072&txt=1]

Thanks to [Image: jlmGM4y.png] & [Image: logo.png] for great VPS 1 Wink
My blog hosted on VPS 1: Gunnaro (Indonesian) | Sorry for my bad English :|
#3
I have used Virustotal in the past for scanning my websites. Will be testing Mozilla Observatory on my websites.
#4
i often use the ssllabs site for checking the TLS and SSL in my community for checking the website. the ssllabs is a simple site where you only need to write the hostname and then press the enter. it will show the result just a moment after Smile
Devil Provided by Hostigation through FreeVPS Devil
In the Beginning... Was the Command Line
#5
(2016-08-28, 5:55:33 pm)Hidden Refuge Wrote:  - https://tls.imirhil.fr/ (similar to SSLLabs - tests the TLS setup but does not include checks against known TLS vulnerabilities)
Wow, this site sure is strict. Like, I have A+ on SSLLabs (using Intermediate configuration from Mozilla), but this says my rating is F.
Now if only I understood what's the problem with my website.
There are 10 sorts of people in the world; those who understand ternary, those who don't, and those who thought this was a binary joke.
#6
(2016-09-02, 6:10:40 am)xfix Wrote:  Wow, this site sure is strict. Like, I have A+ on SSLLabs (using Intermediate configuration from Mozilla), but this says my rating is F.
Now if only I understood what's the problem with my website.

To me it looks like the 3rd party site that is used by Mozilla's Observatory service is basically doing a thorough check of the cipher suites of your TLS setup. It then splits up the found cipher suites in the ciphers that they contain. After that it rates the used ciphers based on their security I guess. There are very good ciphers (highlighted as green), then there are Okish ciphers (highlighted as yellow) and finally there are the bad/outdated/insecure ciphers (highlighted as red).

So in this case any site using a cipher suite that contains any of the bad ciphers is getting cut down to a really bad grade like F. Somewhere in between you will probably find sites that have ciphers that are Okish and of course the top half of it are sites which really only contain cipher suites with green ciphers (very secure and up to date). I assume it really is so or otherwise I cannot explain their rating system. My sites are also getting a F because I have a intermediate TLS setup to support older browsers, OSs and devices (like older Android version of Windows Vista, XP).

To get an A you would probably have to drop all yellow and red ciphers. This would basically leave you with only a handful of ciphers. BUT! If you do this there will be huge issues like your site being inaccessible for many people who are still using some older browsers, OSs or devices (this is more common than some might believe).

You might remember well when FreeVPS used the modern TLS setup and the site was not accessible for people who used browsers like Opera Mini (which apparently is still being developed and supported by Opera so it can't be "old" and "unsupported"). Now it works but just because FreeVPS also uses an intermediate setup to support older type of clients.
#7
Thanks HR, I've tried quterra and sucuri in the past.  I found sucuri easy to use and to remember so have been using it fairly regularly.  I think it is very thorough in its scanning, but one has to be careful though as it does come up with false positives now and then.  I've also tried Web Inspector in the past.  Can't wait to try the others out. :good:

BTW:  Spamhaus Blocklist Removal is quite good with when one's IP is blacklisted (not when it is in good shape of course).  It provides one with a detailed account of the virus/trojan that was responsible and in some cases even recommends how to solve the problem.
#8
(2016-09-03, 2:54:40 am)Hidden Refuge Wrote:  You might remember well when FreeVPS used the modern TLS setup and the site was not accessible for people who used browsers like Opera Mini (which apparently is still being developed and supported by Opera so it can't be "old" and "unsupported"). Now it works but just because FreeVPS also uses an intermediate setup to support older type of clients.

Now Opera Mini supports TLS 1.2 properly, so it's not an issue anymore.
There are 10 sorts of people in the world; those who understand ternary, those who don't, and those who thought this was a binary joke.
#9
Tools Lists
1. Scan My Server
2. SUCURI
3. Qualys SSL Labs, Qualys FreeScan
4. Quttera
5. Detectify
6. SiteGuarding
7. Web Inspector
8. Acunetix
9. Asafa Web
10. Netsparker Cloud
11. UpGuard Web Scan
12. Tinfoil Security

I use ScanMyServer, it provides one of the most comprehensive reports of varieties of security test like SQL Injection, Cross Site Scripting, PHP Code Injection, Source Disclosure, HTTP Header Injection, Blind SQL Injection and much more. Scan report is notified by email with vulnerability summary.
#10
I just tested one of my WP blogs and I scored a large "F".  I'm a total novice at what FireFox Observatory is asking me to do. Starting with the "Content Security Policy".   Is there a simple version perhaps with command lines that I could copy?

Here are all the crosses I received:


Quote:Content Security Policy (CSP) header not implemented
Cookies set without using the Secure flag or set over http
X-Content-Type-Options header not implemented
X-Frame-Options (XFO) header not implemented
X-XSS-Protection header not implemented


In addition to not having https.  I probably need to get up to speed with how to set up SSL with VestaCP.




Users browsing this thread: 1 Guest(s)