LebGeeks

Nabs

Member

How to test websites for vulnerabilities?

I built a website using Wordpress. Edited it quite a bit, used a load of plugins and add-ons. Now I want to put it under heavy testing before taking it out to public use. Whose service can I request, and how much does it approximately cost please?

Last edited by Nabs (July 21 2013)

longbit

Member

Re: How to test websites for vulnerabilities?

you could do it.
wordpress is kinda well designed and secure, the problem is in the plugins, most WP hacks are cause by badly programmed plugins, check if the plugins you are using are vulnerable, it will be easy to do so... easiest way to search about the plugin on exploit-db.com 
run some sql injections test, if too lazy for manual injection, try sqlmap, havij... as i remember, sqlmap by default uses blind sql injection, so make sure to run error based sql attacks....
check if you are doing proper input validation, don't focus on client side validated, it is useless, make sure that every input is properly validated on the server side.
remote code execution is also critical. Remote file inclusion, XSS...

i know someone who used to be in the business, i'll check if he is still doing pentests and i'll let you know.

Last edited by longbit (July 22 2013)

Nabs

Member

Re: How to test websites for vulnerabilities?

Alright, I'll wait for your info.

Joe

Member

Re: How to test websites for vulnerabilities?

Nabs, do you want to learn how to do it yourself, or are you asking for suggestions about who to pay to do it for you?

Nabs

Member

Re: How to test websites for vulnerabilities?

I'm not sure how complicated the process is. A few times before, I asked random questions, and I kept getting some answers by annoyed users, asking me to hire someone. I don't want to step on any toes here. If I could be pointed in the right learning direction, I'd take that. Love to learn. If not, then hire someone.

Nabs

Member

Re: How to test websites for vulnerabilities?

@Rahmu, any ideas, please?

Pelti

Member

Re: How to test websites for vulnerabilities?

You can find many web vulnerability scanners online.  I just found some scanners dedicated to wordpress. Google it.

Nabs

Member

Re: How to test websites for vulnerabilities?

@Pelti, mind linking me to one, please? I wouldn't have asked if I could find one on my own.

Pelti

Member

Re: How to test websites for vulnerabilities?

Tools:
- Scanwp.com
- 6ScanSecurity
- Netsparker

(I'm not allowed to post links)

Fischer

Member

Re: How to test websites for vulnerabilities?

This is a personal opinion, i find the online scanners useless, used many of them long time ago when i was learning sql injection, i was just a teenager willing to try every tool he hears about.

But lets assume for a second that the scanners are real,  would you trust the website owner? How would you be sure that he's not saving the vulnerabilities in a log file so later he can attack you?

Want a tool? Look for sql ninja, very well known sql injection testing tool, but would you be able to use it? Lets say you follow a tutorial and you did install it and run it, would you understand the output? And assuming you understood, would you be able to fix it?

I can give you hundreds of tools. few run on windows, the majority on linux, like metasploit and you could use many exploits. But it's not about the tools, it never was, that's why they are called tools in the first place.

Besides if you manage to "secure" wordpress, are you sure that no one can "hack" you? Are you sure that your server is "secure"?

In the past, if you wanted to teach your kid sql injection, you'd say: "son, attack that wordpress site", I don't know about now, but they should have fixed it.

I never used wordpress, never will. I did a simple search for plugins, i think this is more than enough for you, at least for now. there are hundreds other plugins which are the easy way to secure the site.

I personally do not think that hackers are the ones who are going to take down your site, what you really need to worry about is cpu and ram usage, wordpress and joomla are hungry beasts.

Last edited by Fischer (August 2 2013)

jsaade

Member

Re: How to test websites for vulnerabilities?

In wordpress, we use a plugin called wordfence.
IT constantly monitors your sites for exploits (and other plugins).
It suggests how you should patch files.
It emails you if there is a new wordpress release, etc.

http://www.wordfence.com/

Nabs

Member

Re: How to test websites for vulnerabilities?

@Pelti, no offense, but I tired all those sites among others, not a single exploit. They also said I can upgrade for a paid service to make sure my site was clean.

@Fischer, well put, the whole post.

@Jsaade, I'll give it a go.

Thank you all for your support.

Pelti

Member

Re: How to test websites for vulnerabilities?

Yea you're right. In this case, you have to do the penetration testing yourself. I usually use backtrack for penetration testing. But I though these online scanners might be useful.