Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
U
U
User992021-10-14 20:01:21
Information Security
User99, 2021-10-14 20:01:21

How to test a web application for information security?

The customer requires an act of conducting state testing of a web application for information security.
The state agency asks for crazy sums for such a service.
Test List:

  1. Source code analysis
  2. Testing information security features
  3. Load test
  4. Network Infrastructure Survey
  5. Survey of information security processes


How can you test such a test yourself? I wanted to conduct such a test myself, and correct the shortcomings before applying for a considerable amount.
What programs to analyze? What and how, if anyone has tried, please describe the process, what, how and with what?

Item 4 can be removed from the list. it's all right here. for those parts of the servers, everything is configured and everything is divided into classters. more interested in software testing

launched a test on Nikto
Result (I haven’t figured out what it means yet :)) :
spoiler

Server: nginx/1.16.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname 'oat-----.org' does not match certificate's names: at-----.org
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /auth/: This might be interesting...
+ 5007 requests: 8 error(s) and 8 item(s) reported on remote host
+ End Time:           2021-10-14 22:45:06 (GMT5) (130 seconds)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
Vitaly Karasik, 2021-10-15
@vitaly_il1

A full examination really costs a lot.
If you just want to get a beautiful PDF for free, then
1. https://sonarcloud.io/code-security
2. https://www.indusface.com/web-application-scanning.php
3. app.k6.io , blazemeter .com

Similar questions
Z
Zevaka2011-02-16 21:18:34
Who is knocking on my door? 8Reply
K
KJIayD2015-10-01 15:55:03
Kaspersky or Kerio? 2Reply
S
Sergey2015-10-04 14:03:14
Encryption of the server so that the content starts automatically, but the data cannot be read from the disk. How? 1Reply
O
onetwoz12021-06-15 10:05:39
Diploma topic (VKR) on IB on the web? 2Reply
S
Sailaubai Shyngys2015-10-05 20:23:07
Is it possible to put windows on the terminal? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question