Web security is something we should all be doing nowadays, because there are literally hundreds of different potential ways that any site can become compromised. You should regularly scan security vulnerabilities to stay safe from these sorts of potential problems – cross site scripting, vulnerable components, DOM-based vulnerabilities, SQL injections, cross site request forgery and crlf/xxe/http injections
Let’s face it, we don’t always scan security vulnerabilities as much as we should. It’s an easy task to overlook because so much needs to go into designing, testing, and marketing a website. We’re often more focused on success than safety, but that really is a false economy. It’s like building a fabulous house but forgetting to put a lock on the front door. Security underpins everything else you do with your property, so you can’t afford to let it slip. If you don’t scan security vulnerabilities, then the chances are good that someone, somewhere will find a way in and cause havoc. If you feel put off from thinking about security because it seems complicated, don’t worry. There are plenty of tools out there that will scan website security vulnerabilities for you. Some of them even offer free trials so you can road test them to see if they’re going to work for you:
SUCURI is free and its used widely to scan website for malware. It’s great at tracking down malware and scanning for security issues, and it will report on malware blacklisting status, show you points where SPAM has been injected, and point out instances where someone has made unwelcome changes to your site. If you’re using popular platforms such as WordPress, Joomla, Magento, Drupal, phpBB, then it’s going to work just fine for you.
Quttera can scan website for malware and possible exploits. It combs your website for potentially malicious and suspicious files, using PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.
SSL Server Test by Qualys looks for SSL/TLS that has been configured wrongly and also for inherent weaknesses on your site. It can check your https:// URL including the date expires, its overall rating, cipher, SSL/TLS version, do a handshake simulation, look for protocol details, BEAST and other things too.
It’s important to run the Qualys test every time you make a change to SSL/TLS. It can scan security vulnerabilities or scan website for malware, so you’ll be assured that any changes you’ve made are safe.
Intruder is based in the cloud and it looks for weaknesses in the whole web app set-up. It’s engineered to deliver a level of security protection that makes it suitable for governments, banks and similar enterprises that call for high-end safety, and its scanning engine is simple to use as well.
Its comprehensive security features allow it to identify:
- absent patches
- incorrect configurations
- web application issues including SQL injection and cross-site scripting
- CMS problems
Intruder can scan website security vulnerabilities and put results in order of priority according to their context to save you time. It can also proactively scan your systems for the most recently identified weaknesses. It can integrate with major cloud providers (AWS, GCP, Azure) as well as Slack and Jira.
Ethical hackers lend their expertise to ensure Detectify keeps your website and web apps secure with automatic security and monitoring of assets. It can identify upwards of 1500 potential threats.
It can scan for vulnerable points with OWASP Top 10, CORS, Amazon S3 Bucket, and misconfigured DNS. It has Asset Monitoring and it keeps a non-stop eye on your subdomains, searching for takeovers and alerting you if anything anomalous is picked up.
Detectify’s pricing plans come in three flavors, called Starter, Professional, and Enterprise and they all come with a two-week free trial, no credit card needed.
UpGuard Web Scan can assess risk using information that’s publicly available. It can organize test results into these groupings:
- website threats
- email threats
- network security
- malware and phishing
- brand defense
It’s great at quickly giving you insights about where your website is at the moment, security-wise.
This scanner is just one of many tools on offer from Pentest-Tools. It can gather information, test web apps, CMS, infrastructure, and SSL. Its main purpose is to find the most frequently-occurring web app vulnerabilities and problems with server configuration.
There’s a basic version that does passive web security scanning, and it’s adept at finding things like unsafe cookie settings, unsafe HTTP headers, and out-of-date server software. It will grant you two full scans for free, and that will be enough to give you a very good overview of any problems with things like local file inclusion, SQL injection, OS command injection, and XSS, for example.
Mozilla has launched Observatory, which can scan website for malware and has other security features. It validates the security of OWASP headers, checks TLS best practices and carries out third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, and others.
All of these powerful tools can give you a great deal of insight into the kind of vulnerabilities that might affect your website, and enough of them have free offers that you’ll be able to decide which of them will serve you best.