Janis Weiss, profile picture
Uploaded byJanis Weiss
96 views

WHS-hackability-Index-083013

This document is a checklist that assesses how hackable a website may be. It asks a series of yes or no questions about the website's security practices, such as whether it uses HTTPS, implements content security policies, protects against brute force attacks, and sanitizes user input. Based on the answers, it determines whether the site is likely safe, probably safe, or hackable. The goal is to help website owners evaluate their security posture.

Embed presentation

Download to read offline
Copyright © 2013 WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com Hackability Index: How hackable is your website? Youand/oryourusersareprobablyhackable. Doyouhaveawebsite? YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO You are safe. You are probably safe. YES NO Is this true for all your websites? Does your registrar protect your account beyond using passwords and emails? Do you use HTTPOnly and Secure flags on your cookies? Do you use HSTS? Do you support TLS 1.2? Do you use SSL/TLS for all sensitive communications? Do you use Content Security Policy? Do you use X-Frame Options? Do you do isolate your database from being connected to from the Internet? Are your users’ answers to secret questions computationally impossible to guess? Do you have an out of band method of performing password resets? Do you have a method of ensuring no name collision with existing or previously deleted users? Do you have methods to ensure cookies cannot collide? Do you time out cookies both on the client and server? Do you verify account permission on each request? Do you use a sufficiently strong random number generator? Do you use sufficiently strong cookies (128bit minimum)? Do you use strong forms of authentication (E.g. 2FA) for both admin and users? Do you have anti-automation to prevent brute force for both admin and users? Do you limit acces to your admin console beyond just username/password? Do you make sure not to leak source code on github, in svn repros and so on? Do you have a restrictive or non-existent crossdomain.xml file? Do you use crytographic nonces to verify all inputs? Do you sanitize user input for director enumeration? Do you sanitize all user input for database meta characters? Do you sanitize all user input for executable meta characters? Do you sanitize all user input for client side meta characters?

More Related Content

PPTX
Xss attack
byManjushree Mashal
 
PPTX
4 . future uni presentation
byRashid Khatmey
 
PDF
Web Development Security
byRafael Monteiro
 
DOC
What are ssl certificate that protects website
byjamesbarns729
 
PPT
C:\fakepath\wg xcs emailsecurity 170 370 570
byYustinus Simon
 
PPT
XCS - Watchguard
byINSPIRIT BRASIL
 
PPTX
Encryption 101 for Nonprofits
byCommunity IT Innovators
 
PDF
Web Site vulnerability Sales and Consulting
byguest4cee27ac
 
Xss attack
byManjushree Mashal
 
4 . future uni presentation
byRashid Khatmey
 
Web Development Security
byRafael Monteiro
 
What are ssl certificate that protects website
byjamesbarns729
 
C:\fakepath\wg xcs emailsecurity 170 370 570
byYustinus Simon
 
XCS - Watchguard
byINSPIRIT BRASIL
 
Encryption 101 for Nonprofits
byCommunity IT Innovators
 
Web Site vulnerability Sales and Consulting
byguest4cee27ac
 

What's hot

PDF
Secure at Speed @ Solent.tech
byStuart Gunter
 
PPTX
Security hardening and drown attack prevention for mobile backend developers
byJiri Danihelka
 
PPTX
Top 10 security risks for mobile backend developers
byJiri Danihelka
 
PPTX
Check your network security
byYour Virtual CTO
 
PDF
XSS and Broken authentication
byAgalyaD
 
PDF
Cyber security considerations for Small and Medium Businesses
byebusinessmantra
 
PPTX
HTTP vs HTTPS Difference
byReal Estate
 
PPTX
Information on Brute Force Attack
byHTS Hosting
 
PPT
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
byTony Perez
 
PDF
Checklist for Preventing Ransomware
byOptimum Healthcare IT
 
PPTX
Web security by khubaib
byKhubaib Ahmad Kunjahi
 
PPTX
2 . web app s canners
byRashid Khatmey
 
PPT
Cyber Security Awareness - file 2 of 2
byMohammad Ashfaqur Rahman
 
PDF
Introduction To Web security
byYasserElsnbary
 
DOCX
Randall granlund resume
byRandall Granlund
 
PDF
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
bySnag
 
PPS
Safe netizens
byRohit Srivastwa
 
PPT
Mule anypointenterprisesecurity
byhimajareddys
 
PPTX
The Windows Password Policy is Not Enough
bynFront Security
 
PDF
1 hellman-mar16
byNational Information Standards Organization (NISO)
 
Secure at Speed @ Solent.tech
byStuart Gunter
 
Security hardening and drown attack prevention for mobile backend developers
byJiri Danihelka
 
Top 10 security risks for mobile backend developers
byJiri Danihelka
 
Check your network security
byYour Virtual CTO
 
XSS and Broken authentication
byAgalyaD
 
Cyber security considerations for Small and Medium Businesses
byebusinessmantra
 
HTTP vs HTTPS Difference
byReal Estate
 
Information on Brute Force Attack
byHTS Hosting
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
byTony Perez
 
Checklist for Preventing Ransomware
byOptimum Healthcare IT
 
Web security by khubaib
byKhubaib Ahmad Kunjahi
 
2 . web app s canners
byRashid Khatmey
 
Cyber Security Awareness - file 2 of 2
byMohammad Ashfaqur Rahman
 
Introduction To Web security
byYasserElsnbary
 
Randall granlund resume
byRandall Granlund
 
Will My SaaS Provider Leak My Corporate Data? - Collaborate '15 Presentation
bySnag
 
Safe netizens
byRohit Srivastwa
 
Mule anypointenterprisesecurity
byhimajareddys
 
The Windows Password Policy is Not Enough
bynFront Security
 
1 hellman-mar16
byNational Information Standards Organization (NISO)
 

Viewers also liked

PDF
CV-Alija Sosevic
byAlija Sosevic
 
PDF
Jawaban osk geografi 2016
byRosmalia Eva
 
PPTX
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
byJUAN PADILLA
 
PDF
Business Development Lending
byAndrea Smith
 
PPT
չարենց
bykleopatraegipet
 
PDF
Конфликт. цена вопроса
byElena Urusova
 
PDF
Organigrama mj
byLuisFer MarLo
 
PPTX
Україна незалежна. Конституція України.
byIrinaKusch
 
PPT
Досвід роботи Прищепи Л.І.
byКиїв Київ
 
PDF
Shadow and Light Photog. Mag. 2015
byLena Edstrom
 
PDF
Resume
byNick Murdic
 
PDF
Keegan Law - Boston Criminal Defense Attorney
byJose Cash
 
PPTX
Mapa gerencia de proyectos tec. edu.
byLeonel Medina Marroquin
 
DOCX
5 niz-5
byTomislavladan
 
CV-Alija Sosevic
byAlija Sosevic
 
Jawaban osk geografi 2016
byRosmalia Eva
 
Mapa conceptual sobre Gerencia de Proyectos y Ciclo de Vida de un Proyecto.
byJUAN PADILLA
 
Business Development Lending
byAndrea Smith
 
չարենց
bykleopatraegipet
 
Конфликт. цена вопроса
byElena Urusova
 
Organigrama mj
byLuisFer MarLo
 
Україна незалежна. Конституція України.
byIrinaKusch
 
Досвід роботи Прищепи Л.І.
byКиїв Київ
 
Shadow and Light Photog. Mag. 2015
byLena Edstrom
 
Resume
byNick Murdic
 
Keegan Law - Boston Criminal Defense Attorney
byJose Cash
 
Mapa gerencia de proyectos tec. edu.
byLeonel Medina Marroquin
 
5 niz-5
byTomislavladan
 

Similar to WHS-hackability-Index-083013

PPTX
Security is not a feature
byElizabeth Smith
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
PPTX
Web security for app developers
byPablo Gazmuri
 
PPTX
Best practices of web app security (samvel gevorgyan)
byClubHack
 
PDF
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
PDF
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPT
Secure code practices
byHina Rawal
 
PDF
OWASPTop 10
byInnoTech
 
PPTX
Security guidelines for web development
bykumar gaurav
 
PPTX
Securing your web apps now
byStephan Steynfaardt
 
PPT
Web Application Security: The Land that Information Security Forgot
byJeremiah Grossman
 
PPT
Attacking Web Applications
bySasha Goldshtein
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPT
Website Security
byMODxpo
 
PPT
Website Security
byCarlos Z
 
Security is not a feature
byElizabeth Smith
 
Web Security: What's wrong, and how the bad guys can break your website
byAndrew Sorensen
 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
Web security for app developers
byPablo Gazmuri
 
Best practices of web app security (samvel gevorgyan)
byClubHack
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Owasp top 10 2013
byEdouard de Lansalut
 
Secure code practices
byHina Rawal
 
OWASPTop 10
byInnoTech
 
Security guidelines for web development
bykumar gaurav
 
Securing your web apps now
byStephan Steynfaardt
 
Web Application Security: The Land that Information Security Forgot
byJeremiah Grossman
 
Attacking Web Applications
bySasha Goldshtein
 
Owasp top 10_openwest_2019
bySean Jackson
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Website Security
byMODxpo
 
Website Security
byCarlos Z
 

WHS-hackability-Index-083013

  • 1.
    Copyright © 2013WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com Hackability Index: How hackable is your website? Youand/oryourusersareprobablyhackable. Doyouhaveawebsite? YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO YES NO You are safe. You are probably safe. YES NO Is this true for all your websites? Does your registrar protect your account beyond using passwords and emails? Do you use HTTPOnly and Secure flags on your cookies? Do you use HSTS? Do you support TLS 1.2? Do you use SSL/TLS for all sensitive communications? Do you use Content Security Policy? Do you use X-Frame Options? Do you do isolate your database from being connected to from the Internet? Are your users’ answers to secret questions computationally impossible to guess? Do you have an out of band method of performing password resets? Do you have a method of ensuring no name collision with existing or previously deleted users? Do you have methods to ensure cookies cannot collide? Do you time out cookies both on the client and server? Do you verify account permission on each request? Do you use a sufficiently strong random number generator? Do you use sufficiently strong cookies (128bit minimum)? Do you use strong forms of authentication (E.g. 2FA) for both admin and users? Do you have anti-automation to prevent brute force for both admin and users? Do you limit acces to your admin console beyond just username/password? Do you make sure not to leak source code on github, in svn repros and so on? Do you have a restrictive or non-existent crossdomain.xml file? Do you use crytographic nonces to verify all inputs? Do you sanitize user input for director enumeration? Do you sanitize all user input for database meta characters? Do you sanitize all user input for executable meta characters? Do you sanitize all user input for client side meta characters?