8 Essential Tips to Secure Your Web Application Server

As a web application owner, how do you ensure your site is protected from online threats? Don’t leak sensitive information?

If you’re using a cloud-based security solution , then regular vulnerability scanning is most likely part of the plan. However, if this is not the case, you should perform a routine analysis and take the necessary measures to mitigate the risks.


There are two types of scanner

China Phone Number


Commercial – give you an option to automate scanning for ongoing security , reports, alerts, detailed mitigation instructions, etc. Some of the known names in the industry are:

Open source / Free – you can download and run a security scan on demand. Not all of them will be able to cover a wide range of vulnerabilities like a commercial one.

Let’s take a look at the following open source web vulnerability scanner.

arachnids, a high-performance security scanner built on the Ruby framework for modern web applications. It is available in a portable binary for Mac, Windows, and Linux.

Not just a basic static website or CMS, but Arachni is capable of doing following the platform’s fingerprints . Perform active and passive controls, both.

Windows, Solaris, Linux, BSD, Unix

Nginx, Apache, Tomcat, IIS, Jetty
Java, Ruby, Python , ASP, PHP
Django, Rails, CherryPy, CakePHP, ASP.NET MVC, Symfony
Some of the vulnerability detection are:

NoSQL / Blind / SQL / Code / LDAP / Command / XPath injection

Cross-site request forgery

route crossing
Local/remote file includes
response division
cross-site scripting
Unvalidated DOM Redirects
Source code disclosure
You have the option to take an audit report in HTML, XML, Text, JSON, YAML, etc.

Arachni allows you to extend scanning to China Phone Number the next level by taking advantage of plugins. Check out the full Features of Arachni and download it to experience it.

Many organizations, including Microsoft, Stanford, Motorola, Informatica, etc., use a Python-based XSS (cross-site scripting) vulnerability scanner.

Faizan Ahmad’s xsspy is a smart tool. It does one thing quite well. Instead of just checking the home page or the given page, it checks the entire link on the websites.

XssPy also checks the subdomain, so nothing is left out.

w3af , an open source project started in late 2006, is powered by Python and is available on Linux and Windows operating systems. w3af is capable of detecting more than 200 vulnerabilities, including OWASP’s top 10.

w3af let you inject payloads to headers, urls, cookies, query-string, post-data, etc. to exploit the web application for auditing. Supports various logging methods for reports. Ex:

for instance:

It is built on a plugin architecture, and you can see all the available plugins here .

An open source project sponsored by Netsparker aims to find web server configuration errors, plugins and web vulnerabilities. Nobody performs a complete test against more than 6500 risk elements.

Leave a comment

Your email address will not be published.