Website Security Scanners

[Pyxis]

I'm looking for some recommendations on decent website security scanners. Something that will scan my site directory structure and tell me if there are any vulnerabilities.

Thanks🙂

 

[kamper]

Are you thinking of something that runs locally or actually analyses via the web?

 

[Pyxis]

Something that analyses via the web.

 

[Patt]

I'd be interested in knowing of such a product as well.

 

[kamper]

Tbh, I don't have anything to recommend and I'm sure there's stuff out there that can do far more than I'm imagining, but nothing that analyzes via the web can give you any real guarantee of security. Via the web, it can't analyze your php (or other dynamic content) for coding errors, it can't detect files that aren't linked directly (unless you have directory listings on for every dir) and it can't do things like analyze for appropriate file permissions. I'd recommend following the vulnerability reports for all products you use and doing a common sense scan of what you have up there by hand.

For instance, I recently discovered that a php blog I'd been running had been hacked. I could have prevented it by:
1) checking back at the website where I found it, because the vulnerability had been fixed months ago
2) putting sane write permissions on everything that the webserver has access to (the exploit should not have had permission to create the directories it did)
3) doing a basic scan of the product and hacking out things that I wasn't going to use and/or that were just begging for trouble (like image upload, or allowing a hacker to download the password hash)

Of course if you've done that and still want a tool (sounds like this is a business willing to throw money at it), then go nuts 😛

 

[nweaver]

nessus is good