Website Security Audit

Website Security Audit

Security audit is a systematic search for vulnerabilities before attackers find them. It combines automated scanning and manual testing. The result is a prioritized list of vulnerabilities with specific remediation steps.

OWASP Top 10 — What We Check

A01: Broken Access Control — can unauthorized users access others' data? A02: Cryptographic Failures — are passwords stored in plain text, is HTTPS used everywhere? A03: Injection — SQL, NoSQL, OS Command injection A04: Insecure Design — logical vulnerabilities in business processes A05: Security Misconfiguration — open directories, default passwords A07: Identification and Authentication Failures — missing rate limiting, weak sessions

Automated Scanning

# OWASP ZAP: comprehensive web scanning
docker run -v $(pwd):/zap/wrk/:rw \
  ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://mysite.com \
  -r zap-report.html \
  -a  # active scanning

# Nikto: fast scanning
nikto -h https://mysite.com -output nikto-report.html -Format htm

# Nuclei: CVE template scanning
nuclei -u https://mysite.com -severity critical,high -o nuclei-results.txt

# SSL/TLS
testssl.sh --fast --html https://mysite.com

# Headers
curl -I https://mysite.com | grep -E "(X-Frame|X-XSS|Content-Security|Strict-Transport|X-Content-Type)"

Manual Testing

SQL Injection:

# Test all input points:
GET /users?id=1'  # if 500 — vulnerable
GET /search?q=1' OR '1'='1

# Verification with sqlmap (only on your own site!)
sqlmap -u "https://mysite.com/users?id=1" --dbs --batch

XSS:

# Basic payloads
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)

# In form fields, URL parameters, headers

IDOR (Insecure Direct Object Reference):

# After logging in as user1, try to get user2's data
curl -H "Cookie: session=user1_session" https://mysite.com/api/users/2/profile
curl -H "Cookie: session=user1_session" https://mysite.com/api/orders/other_user_order_id

Authentication:

# Brute force without blocking?
for i in {1..100}; do
  curl -s -o /dev/null -w "%{http_code}" \
    -d "[email protected]&password=wrong$i" \
    https://mysite.com/login
done | sort | uniq -c

# Predictable tokens?
# Weak JWT?
jwt-cracker <token> -d rockyou.txt

Security Headers: Checklist

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-{RANDOM}'; style-src 'self'; img-src 'self' data: https://cdn.mysite.com; frame-ancestors 'none';" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Verification Tools

# Mozilla Observatory
curl "https://http-observatory.security.mozilla.org/api/v1/analyze?host=mysite.com&rescan=true" \
  -X POST | jq '.grade'

# securityheaders.com API
curl "https://securityheaders.com/?q=mysite.com&followRedirects=on" -I | grep "X-Grade"

Audit Report

## Critical Vulnerabilities (require immediate remediation)

### CVE-001: SQL Injection in /api/search
- **CVSS:** 9.8 (Critical)
- **Vector:** Parameter `q` is not sanitized, entire database can be extracted
- **PoC:** `GET /api/search?q=1' UNION SELECT table_name FROM information_schema.tables--`
- **Remediation:** Parameterized queries

## High Vulnerabilities

### CVE-002: Missing rate limiting on /login
- **CVSS:** 7.5 (High)
- **Vector:** Unlimited password brute force
- **Remediation:** Fail2ban, CAPTCHA after 5 attempts, temporary IP blocking

Security audit of medium web application — 3–7 business days.