Threat Center Security News What is a Web Site Security Risk Assessment?
What is a Web Site Security Risk Assessment? Print E-mail
Written by Rebecca Mints   
Monday, 14 April 2008 18:00

While we will customize each website risk assessment to meet the needs of each client individually, there are essentially two different kinds of website assessments we offer: premium and basic. Below you will find what is included in each assessment.




A PREMIUM ASSESSMENT includes:


Web Resources Spider and Analysis - While it does not look for vulnerabilities itself, the Spider is a very useful tool. It crawls the site and builds a "web" (like a map or tree) that is utilized to perform the other security checks.

Server Vulnerabilities Assessment - Assessment of the properties of the server, the operating system utilized the server type, and open ports. Checks to see if server is susceptible to attacks.

Directory Brute0force Discovery - Employing a dictionary to enter thousands of passwords to gain access to restricted information.

File Directory Exposure Attacks - We search for backup files, information leakage files, configuration files, and password files.

Cross-Site Scripting (XSS) Attacks - Checking to see if it's possible to insert malicious code into a dynamic webpage. A hacker can insert content and the website cannot differentiate between malcode and harmless content. The hacker can cause the web server to send a webpage with malicious code to an unsuspecting user and can then transfer the user’s input to another server.

SQL Injection Attacks - Looking to see if a hacker can transmit SQL query commands to the database residing on the server via the Web application. A hacker can attempt this in two ways: SQL commands are entered in form fields on the webpage, or SQL queries are inserted into required input parameters. Thus, the hacker is able to run SQL queries and commands on the server.

Memory Fault Attacks - Checking for buffer and integer overflow and format string attacks.

Parameter Tampering Attacks - Looking for parameter addition attacks, Boolean parameter tampering attacks, hidden parameter discovery, parameter deletion attacks, remote execution attacks, file directory transversal attacks, header splitting CRLF injection attacks, remote file including PHP-based attacks.

Signature-based HTTP Attacks - We use the most complete HTTP attack signature database available in the market to discover web server and 3rd party software packages vulnerabilities.

Custom Content Search - You may provide custom content rating strings to be verified on all pages. When a custom content rating is not found, you will be issued a vulnerability warning.

Protocol Compliance Check - We will execute a series of HTTP checks to test for web server protocol compliance and resilience against denial-of-service attacks.

Authorization guessing of any directory.


A BASIC ASSESSMENT includes:


Server Vulnerabilities Assessment - Assessment of the properties of the server, the operating system utilized the server type, and open ports. Checks to see if the server is susceptible to attacks.

File Directory Exposure Attacks - We search for backup files, information leakage files, configuration files, and password files.

Signature-based HTTP Attacks - We use the most complete HTTP attack signature database available in the market to discover web server and 3rd party software packages vulnerabilities.

Fingerprinting web servers via favicon.ico files - Determining the type of server and version, and what OS is utilized.

404 checking for each file type - 404 is the error code for "page not found." This is a check to be certain that all pages that are supposed to be viewable are.

Authorization guessing of any directory.


For more information about either the Premium or Basic Assessment please fill out our Services Inquiry Form or use the Help Center to contact one of our representatives.
 

WTW Threat Level