Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
U
U
User992021-10-14 20:01:21
Information Security
User99, 2021-10-14 20:01:21

How to test a web application for information security?

The customer requires an act of conducting state testing of a web application for information security.
The state agency asks for crazy sums for such a service.
Test List:

  1. Source code analysis
  2. Testing information security features
  3. Load test
  4. Network Infrastructure Survey
  5. Survey of information security processes


How can you test such a test yourself? I wanted to conduct such a test myself, and correct the shortcomings before applying for a considerable amount.
What programs to analyze? What and how, if anyone has tried, please describe the process, what, how and with what?

Item 4 can be removed from the list. it's all right here. for those parts of the servers, everything is configured and everything is divided into classters. more interested in software testing

launched a test on Nikto
Result (I haven’t figured out what it means yet :)) :
spoiler

Server: nginx/1.16.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname 'oat-----.org' does not match certificate's names: at-----.org
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /auth/: This might be interesting...
+ 5007 requests: 8 error(s) and 8 item(s) reported on remote host
+ End Time:           2021-10-14 22:45:06 (GMT5) (130 seconds)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
Vitaly Karasik, 2021-10-15
@vitaly_il1

A full examination really costs a lot.
If you just want to get a beautiful PDF for free, then
1. https://sonarcloud.io/code-security
2. https://www.indusface.com/web-application-scanning.php
3. app.k6.io , blazemeter .com

Similar questions
R
Raul Abdullin2014-09-20 03:38:04
How to get rid of a virus that creates shortcuts on a flash drive? 9Reply
M
Maksim2019-02-27 15:39:15
Phishing protection in an e-mail client? 1Reply
M
Max Ba2016-09-30 11:41:58
Is it possible to access files over the network? 1Reply
D
dollar2019-03-02 11:25:25
Why do browsers allow scripts to access the password field? 3Reply
S
Sergey2014-09-30 01:52:25
How to diagnose Linux server? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question