More Related Content
Similar to WHS-hackability-Index-083013
Similar to WHS-hackability-Index-083013 (20)
WHS-hackability-Index-083013
- 1. Copyright © 2013 WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com
Hackability Index:
How hackable is your website?
Youand/oryourusersareprobablyhackable.
Doyouhaveawebsite?
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
YES NO
You are safe. You are probably safe.
YES
NO
Is this true for all your websites?
Does your registrar protect your account beyond using passwords and emails?
Do you use HTTPOnly and Secure flags on your cookies?
Do you use HSTS?
Do you support TLS 1.2?
Do you use SSL/TLS for all sensitive communications?
Do you use Content Security Policy?
Do you use X-Frame Options?
Do you do isolate your database from being connected to from the Internet?
Are your users’ answers to secret questions computationally impossible to guess?
Do you have an out of band method of performing password resets?
Do you have a method of ensuring no name collision with existing or previously deleted users?
Do you have methods to ensure cookies cannot collide?
Do you time out cookies both on the client and server?
Do you verify account permission on each request?
Do you use a sufficiently strong random number generator?
Do you use sufficiently strong cookies (128bit minimum)?
Do you use strong forms of authentication (E.g. 2FA) for both admin and users?
Do you have anti-automation to prevent brute force for both admin and users?
Do you limit acces to your admin console beyond just username/password?
Do you make sure not to leak source code on github, in svn repros and so on?
Do you have a restrictive or non-existent crossdomain.xml file?
Do you use crytographic nonces to verify all inputs?
Do you sanitize user input for director enumeration?
Do you sanitize all user input for database meta characters?
Do you sanitize all user input for executable meta characters?
Do you sanitize all user input for client side meta characters?