Website security

We check your website for security vulnerabilities. Choose one of the following packages to get started:

The graph in the left shows a summary of all the website security issues detected by our BASIC tests so far. The most critical ones are SQL and JavaScript injection even if they are not necessarily the most common. Not that the others are harmless at all. Dependent on the related website, all the vulnerability types can damage way too much. You should always fix all the occurred issues even if they appear to be hardly exploitable.

All the session hijacking and riding issues (caused by JS injection, click jacking, cross site request forgery [CSRF] and the like) aren't really a critical issue if there is not any value behind a user session. As soon as a site has an authenticated area and is affected by those issues, it is something that should be fixed asap. Our tests currently do not check anything within an authenticated area but we still make sure that CSRF issues are shown only if the site is using any kind of user session handling.

There is almost always a trade of between security and usability. In relation to including external scripts (that can lead to spyware and malware) we usually detect that the website owner values his ability to monetize the site through advertisement and getting as detailed statistics about his user behavior as possible over the users privacy and security. Dependent on your business model there may be ways to run the website without putting your own users at risk by 3rd parties.

How to prevent attacks

Having a secure website doesn't just include attackers not being able to talk to your SQL database, manipulate server-side running website scripts or even get full control over your server. No, it's also about the security of the website users. If an attacker is able to abuse your users through your website using different injection methods like cross site scripting, click jacking, cross site request forgery, business logic flaws or similar attacks, it can really hurt your business. How to make sure this isn't going to happen? Always validate all possible inputs and outputs by allowing only the needed characters (instead of filtering out the possibly dangerous ones) in relation to the proper channel. (Per example: If you know the value is a number then you should allow the characters 0-9 only.) That includes besides the typical user inputs (GET and POST parameters), everything else that the client sends to the server and also any type of value that is coming from the backend or an external site. That's essentially every value that isn't created by your server-side running script itself. Even if you do all the validation right there is still a chance for an attacker to abuse your website. So there is more to consider here: The input/output validation will of course not protect your website against any kind of business logic flaws, dDoS attacks or user misbehavior like giving their login to attackers (knowingly or by weak client security measures).

Even if a lot of the potential attacks can be prevented by having a security oriented website development design, running tests helps you to be sure you did it right and may find some issues you haven't thought of or just were not implemented right. On the other hand: If you haven't thought about security while designing your web application you'll likely be surprised how many issues your website has.

Let's run our tests and get to know the issues your website has in order to be able to fix them and increase the security level of your website.

We check your website for security vulnerabilities. Choose one of the following packages to get started: