Show HN: Web Security Scanner - Can Your Site Score a 100%?

7 points by cddotdotslash ↗ HN
http://webscanner.tk/quickscan/

Hi! I made this project over the couse of a week to help teach myself more about Django and web app development. I am studying computer security in school and web security is one of my passions. It is a tool that helps web developers ensure that they have implemented helpful security mechanisms like HTTPOnly flags, X-Frame-Options, etc.

There are hundreds of tools that offer to scan websites for things like cross-site scripting, mySQL injection, etc. This tool simply looks for information that is available via one or two GET requests (the headers, protocols, body, etc.). It does NOT attempt to fuzz or otherwise target the site (test parameters or try XSS payloads). I did this because I wanted to lower the barrier of entry.

Other tools require you to upload a file to your site, add some code or prove ownership. Since this site isn't exploiting anything, none of that is necessary. It's super simple to use and is aimed towards non-security people who still want to develop secure web applications.<p>This is a quick project! There's probably a lot of errors or things that behave weirdly (I once got a score of 110% but couldn't replicate it). If you want to check out the code, here it is, free and open-source: https://github.com/matthewdfuller/Web-Security-GUI

Feel free to leave feedback! I'm not looking to make any money (just learn!), so this is free and there are no ads.

6 comments

[ 3.2 ms ] story [ 22.0 ms ] thread
No IPv6 support :(
You're saying you tried to scan an IPv6 address? Sorry I didn't even think of that! I'll look into adding it.
Google maps plugin messes my score as it's treated as in line javascript. Otherwise it's nice reference for quick fixes to increase website security. People should also note that this is not full penetration test, so getting 100% does not mean you are safe. To be frank you are never safe :)
Hi, my web site gets three warnings:

fail: X-Frame-Options header is not set.

fail: CSP header is not set.

fail: Inline JavaScript was found.

and a score of 0% (scan id: a4c9db4c-17fc-4599-9cac-7f3c7f92c9d9 ) and cnn.com gets the same three warnings plus an extra one and a site grade of 36%.

What's the intrinsic risk in inline javascript? My site uses it to provide page specific data and I'm not really seeing any obvious security risks with it ... then again most security risks aren't obvious!
There's not a risk directly, but it conflicts with newer CSP (Content Security Policy) headers. So you can set CSP to only allow external JS (to prevent XSS through a parameter echoed on your page, for example). Then, it will block any inline JS (including the injection). So it's not a security risk, just something that helps prevent XSS through CSP.