SlideShare a Scribd company logo

WHS-hackability-Index-083013

Janis Weiss
Janis Weiss
1 of 1
Download to read offline
Copyright © 2013 WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com Hackability Index: How hackable is your website? Youand/oryourusersareprobablyhackable. Doyouhaveawebsite? YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO You are safe. You are probably safe. YES NO Is this true for all your websites? Does your registrar protect your account beyond using passwords and emails? Do you use HTTPOnly and Secure flags on your cookies? Do you use HSTS? Do you support TLS 1.2? Do you use SSL/TLS for all sensitive communications? Do you use Content Security Policy? Do you use X-Frame Options? Do you do isolate your database from being connected to from the Internet? Are your users’ answers to secret questions computationally impossible to guess? Do you have an out of band method of performing password resets? Do you have a method of ensuring no name collision with existing or previously deleted users? Do you have methods to ensure cookies cannot collide? Do you time out cookies both on the client and server? Do you verify account permission on each request? Do you use a sufficiently strong random number generator? Do you use sufficiently strong cookies (128bit minimum)? Do you use strong forms of authentication (E.g. 2FA) for both admin and users? Do you have anti-automation to prevent brute force for both admin and users? Do you limit acces to your admin console beyond just username/password? Do you make sure not to leak source code on github, in svn repros and so on? Do you have a restrictive or non-existent crossdomain.xml file? Do you use crytographic nonces to verify all inputs? Do you sanitize user input for director enumeration? Do you sanitize all user input for database meta characters? Do you sanitize all user input for executable meta characters? Do you sanitize all user input for client side meta characters?

Recommended

4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
What are ssl certificate that protects website
What are ssl certificate that protects websiteWhat are ssl certificate that protects website
What are ssl certificate that protects websitejamesbarns729
 
C:\fakepath\wg xcs emailsecurity 170 370 570
C:\fakepath\wg xcs emailsecurity 170 370 570C:\fakepath\wg xcs emailsecurity 170 370 570
C:\fakepath\wg xcs emailsecurity 170 370 570Yustinus Simon
 
XCS - Watchguard
XCS - WatchguardXCS - Watchguard
XCS - WatchguardINSPIRIT BRASIL
 
Encryption 101 for Nonprofits
Encryption 101 for NonprofitsEncryption 101 for Nonprofits
Encryption 101 for NonprofitsCommunity IT Innovators
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Web Site vulnerability Sales and Consulting
Web Site vulnerability Sales and ConsultingWeb Site vulnerability Sales and Consulting
Web Site vulnerability Sales and Consultingguest4cee27ac
 

Recommended

4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
What are ssl certificate that protects website
What are ssl certificate that protects websiteWhat are ssl certificate that protects website
What are ssl certificate that protects websitejamesbarns729
 
C:\fakepath\wg xcs emailsecurity 170 370 570
C:\fakepath\wg xcs emailsecurity 170 370 570C:\fakepath\wg xcs emailsecurity 170 370 570
C:\fakepath\wg xcs emailsecurity 170 370 570Yustinus Simon
 
XCS - Watchguard
XCS - WatchguardXCS - Watchguard
XCS - WatchguardINSPIRIT BRASIL
 
Encryption 101 for Nonprofits
Encryption 101 for NonprofitsEncryption 101 for Nonprofits
Encryption 101 for NonprofitsCommunity IT Innovators
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Web Site vulnerability Sales and Consulting
Web Site vulnerability Sales and ConsultingWeb Site vulnerability Sales and Consulting
Web Site vulnerability Sales and Consultingguest4cee27ac
 
Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersJiri Danihelka
 
Check your network security
Check your network securityCheck your network security
Check your network securityYour Virtual CTO
 
XSS and Broken authentication
XSS and Broken authenticationXSS and Broken authentication
XSS and Broken authenticationAgalyaD
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businessesebusinessmantra
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Checklist for Preventing Ransomware
Checklist for Preventing RansomwareChecklist for Preventing Ransomware
Checklist for Preventing RansomwareOptimum Healthcare IT
 
Web security by khubaib
Web security by khubaibWeb security by khubaib
Web security by khubaibKhubaib Ahmad Kunjahi
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
Cyber Security Awareness - file 2 of 2
Cyber Security Awareness - file 2 of 2Cyber Security Awareness - file 2 of 2
Cyber Security Awareness - file 2 of 2Mohammad Ashfaqur Rahman
 
Introduction To Web security
Introduction To Web securityIntroduction To Web security
Introduction To Web securityYasserElsnbary
 
Randall granlund resume
Randall granlund resumeRandall granlund resume
Randall granlund resumeRandall Granlund
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationWill My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationSnag
 
Safe netizens
Safe netizensSafe netizens
Safe netizensRohit Srivastwa
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurityhimajareddys
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
1 hellman-mar16
1 hellman-mar161 hellman-mar16
1 hellman-mar16National Information Standards Organization (NISO)
 
CV-Alija Sosevic
CV-Alija SosevicCV-Alija Sosevic
CV-Alija SosevicAlija Sosevic
 
Jawaban osk geografi 2016
Jawaban osk geografi 2016Jawaban osk geografi 2016
Jawaban osk geografi 2016Rosmalia Eva
 

More Related Content

What's hot

Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.techStuart Gunter
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersJiri Danihelka
 
Check your network security
Check your network securityCheck your network security
Check your network securityYour Virtual CTO
 
XSS and Broken authentication
XSS and Broken authenticationXSS and Broken authentication
XSS and Broken authenticationAgalyaD
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businessesebusinessmantra
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Introduction To Web security
Introduction To Web securityIntroduction To Web security
Introduction To Web securityYasserElsnbary
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationWill My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationSnag
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurityhimajareddys
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 

What's hot (20)

Secure at Speed @ Solent.tech
Secure at Speed @ Solent.techSecure at Speed @ Solent.tech
Secure at Speed @ Solent.tech
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developers
 
Check your network security
Check your network securityCheck your network security
Check your network security
 
XSS and Broken authentication
XSS and Broken authenticationXSS and Broken authentication
XSS and Broken authentication
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businesses
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
Checklist for Preventing Ransomware
Checklist for Preventing RansomwareChecklist for Preventing Ransomware
Checklist for Preventing Ransomware
 
Web security by khubaib
Web security by khubaibWeb security by khubaib
Web security by khubaib
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Cyber Security Awareness - file 2 of 2
Cyber Security Awareness - file 2 of 2Cyber Security Awareness - file 2 of 2
Cyber Security Awareness - file 2 of 2
 
Introduction To Web security
Introduction To Web securityIntroduction To Web security
Introduction To Web security
 
Randall granlund resume
Randall granlund resumeRandall granlund resume
Randall granlund resume
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 PresentationWill My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
 
Safe netizens
Safe netizensSafe netizens
Safe netizens
 
Mule anypointenterprisesecurity
Mule anypointenterprisesecurityMule anypointenterprisesecurity
Mule anypointenterprisesecurity
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
 
1 hellman-mar16
1 hellman-mar161 hellman-mar16
1 hellman-mar16
 

Viewers also liked

Jawaban osk geografi 2016
Jawaban osk geografi 2016Jawaban osk geografi 2016
Jawaban osk geografi 2016Rosmalia Eva
 
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.JUAN PADILLA
 
Business Development Lending
Business Development Lending Business Development Lending
Business Development Lending Andrea Smith
 
Конфликт. цена вопроса
Конфликт. цена вопросаКонфликт. цена вопроса
Конфликт. цена вопросаElena Urusova
 
Україна незалежна. Конституція України.
Україна незалежна. Конституція України. Україна незалежна. Конституція України.
Україна незалежна. Конституція України. IrinaKusch
 
Досвід роботи Прищепи Л.І.
Досвід роботи Прищепи Л.І.Досвід роботи Прищепи Л.І.
Досвід роботи Прищепи Л.І.Київ Київ
 
Shadow and Light Photog. Mag. 2015
Shadow and Light Photog. Mag. 2015Shadow and Light Photog. Mag. 2015
Shadow and Light Photog. Mag. 2015Lena Edstrom
 
Keegan Law - Boston Criminal Defense Attorney
Keegan Law - Boston Criminal Defense AttorneyKeegan Law - Boston Criminal Defense Attorney
Keegan Law - Boston Criminal Defense AttorneyJose Cash
 

Viewers also liked (14)

CV-Alija Sosevic
CV-Alija SosevicCV-Alija Sosevic
CV-Alija Sosevic
 
Jawaban osk geografi 2016
Jawaban osk geografi 2016Jawaban osk geografi 2016
Jawaban osk geografi 2016
 
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
 
Business Development Lending
Business Development Lending Business Development Lending
Business Development Lending
 
չարենց
չարենցչարենց
չարենց
 
Конфликт. цена вопроса
Конфликт. цена вопросаКонфликт. цена вопроса
Конфликт. цена вопроса
 
Organigrama mj
Organigrama mjOrganigrama mj
Organigrama mj
 
Україна незалежна. Конституція України.
Україна незалежна. Конституція України. Україна незалежна. Конституція України.
Україна незалежна. Конституція України.
 
Досвід роботи Прищепи Л.І.
Досвід роботи Прищепи Л.І.Досвід роботи Прищепи Л.І.
Досвід роботи Прищепи Л.І.
 
Shadow and Light Photog. Mag. 2015
Shadow and Light Photog. Mag. 2015Shadow and Light Photog. Mag. 2015
Shadow and Light Photog. Mag. 2015
 
Resume
ResumeResume
Resume
 
Keegan Law - Boston Criminal Defense Attorney
Keegan Law - Boston Criminal Defense AttorneyKeegan Law - Boston Criminal Defense Attorney
Keegan Law - Boston Criminal Defense Attorney
 
Mapa gerencia de proyectos tec. edu.
Mapa gerencia de proyectos tec. edu.Mapa gerencia de proyectos tec. edu.
Mapa gerencia de proyectos tec. edu.
 
5 niz-5
5 niz-55 niz-5
5 niz-5
 

Similar to WHS-hackability-Index-083013

How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistPixel Crayons
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Matthew Gerrior
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingMatthew Gerrior
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET Journal
 
A Guide to Cyber Etiquette.pdf
A Guide to Cyber Etiquette.pdfA Guide to Cyber Etiquette.pdf
A Guide to Cyber Etiquette.pdfInfosec Train
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 

Similar to WHS-hackability-Index-083013 (20)

How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic Testing
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
 
A Guide to Cyber Etiquette.pdf
A Guide to Cyber Etiquette.pdfA Guide to Cyber Etiquette.pdf
A Guide to Cyber Etiquette.pdf
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Protect your website
Protect your websiteProtect your website
Protect your website
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 

WHS-hackability-Index-083013

  • 1. Copyright © 2013 WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com Hackability Index: How hackable is your website? Youand/oryourusersareprobablyhackable. Doyouhaveawebsite? YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO You are safe. You are probably safe. YES NO Is this true for all your websites? Does your registrar protect your account beyond using passwords and emails? Do you use HTTPOnly and Secure flags on your cookies? Do you use HSTS? Do you support TLS 1.2? Do you use SSL/TLS for all sensitive communications? Do you use Content Security Policy? Do you use X-Frame Options? Do you do isolate your database from being connected to from the Internet? Are your users’ answers to secret questions computationally impossible to guess? Do you have an out of band method of performing password resets? Do you have a method of ensuring no name collision with existing or previously deleted users? Do you have methods to ensure cookies cannot collide? Do you time out cookies both on the client and server? Do you verify account permission on each request? Do you use a sufficiently strong random number generator? Do you use sufficiently strong cookies (128bit minimum)? Do you use strong forms of authentication (E.g. 2FA) for both admin and users? Do you have anti-automation to prevent brute force for both admin and users? Do you limit acces to your admin console beyond just username/password? Do you make sure not to leak source code on github, in svn repros and so on? Do you have a restrictive or non-existent crossdomain.xml file? Do you use crytographic nonces to verify all inputs? Do you sanitize user input for director enumeration? Do you sanitize all user input for database meta characters? Do you sanitize all user input for executable meta characters? Do you sanitize all user input for client side meta characters?