

Show HN: Web Security Scanner - Can Your Site Score a 100%? - cddotdotslash

http://webscanner.tk/quickscan/<p>Hi! I made this project over the couse of a week to help teach myself more about Django and web app development. I am studying computer security in school and web security is one of my passions. It is a tool that helps web developers ensure that they have implemented helpful security mechanisms like HTTPOnly flags, X-Frame-Options, etc.<p>There are hundreds of tools that offer to scan websites for things like cross-site scripting, mySQL injection, etc. This tool simply looks for information that is available via one or two GET requests (the headers, protocols, body, etc.). It does NOT attempt to fuzz or otherwise target the site (test parameters or try XSS payloads). I did this because I wanted to lower the barrier of entry.<p>Other tools require you to upload a file to your site, add some code or prove ownership. Since this site isn't exploiting anything, none of that is necessary. It's super simple to use and is aimed towards non-security people who still want to develop secure web applications.&#60;p&#62;This is a quick project! There's probably a lot of errors or things that behave weirdly (I once got a score of 110% but couldn't replicate it). If you want to check out the code, here it is, free and open-source: https://github.com/matthewdfuller/Web-Security-GUI<p>Feel free to leave feedback! I'm not looking to make any money (just learn!), so this is free and there are no ads.
======
mk3
Google maps plugin messes my score as it's treated as in line javascript.
Otherwise it's nice reference for quick fixes to increase website security.
People should also note that this is not full penetration test, so getting
100% does not mean you are safe. To be frank you are never safe :)

------
fduran
Hi, my web site gets three warnings:

fail: X-Frame-Options header is not set.

fail: CSP header is not set.

fail: Inline JavaScript was found.

and a score of 0% (scan id: a4c9db4c-17fc-4599-9cac-7f3c7f92c9d9 ) and cnn.com
gets the same three warnings plus an extra one and a site grade of 36%.

~~~
aquark
What's the intrinsic risk in inline javascript? My site uses it to provide
page specific data and I'm not really seeing any obvious security risks with
it ... then again most security risks aren't obvious!

~~~
cddotdotslash
There's not a risk directly, but it conflicts with newer CSP (Content Security
Policy) headers. So you can set CSP to only allow external JS (to prevent XSS
through a parameter echoed on your page, for example). Then, it will block any
inline JS (including the injection). So it's not a security risk, just
something that helps prevent XSS through CSP.

------
dClauzel
No IPv6 support :(

~~~
cddotdotslash
You're saying you tried to scan an IPv6 address? Sorry I didn't even think of
that! I'll look into adding it.

