In Berezha Security, we provide high-quality Application Security services, and web application security assessments are a large portion of what we do. However, a full-scale web app pentest is not what all our website visitors seek; some are looking for a quick and straightforward way to check their website security without the need to hire security experts. It may seem that we are in a position to ignore those requests; however, we think it would be irresponsible. Here you are with a bunch of simple tips and tricks you can use to quickly check your website security.
Many online services provide you various passive or active security checks. If your web site has been connected to the internet for a while, chances are quite a few analytics gathering services have already noticed it. Some of them allow you to search their pre-scanned databases, while the others let you run benign vulnerability scans. Checking your domain name against their database is a proper security check-up.
Vuristotal is a service owned by Google that runs a bunch of antivirus engines against files you upload to it. By scanning thousands of suspicious files daily, VT finds infected ones and distributes malware signatures across antivirus vendors. It also collects information about how malicious hackers spread malware and remotely control infected systems. So, it is a good idea to check if your website has been caught serving viruses of running a Command & Control (C&C or C2) server: https://www.virustotal.com/gui/home/url
Censys and Shodan
Censys and Shodan are two outstanding internet security services. They literally scan all the address space in the global network and store the results in a searchable format. Scan results show the assumed geographical location of the system, other registry information, and the publicly available services it runs. So, if someone has hacked your website and started using it in an unauthorized manner (e.g., serving malware or sending spam), you will see signs of it immediately. For instance, if you did not plan to use your server as an email relay or a web proxy, ports 25 and 8080 should not be enabled. Check your website security with Censys (https://censys.io) and Shodan (https://shodan.io) and read through the results to know more.
HTTPS and Security Headers
In particular, the Web in general and the HTTP (its primary network protocol) were not built with security in mind—no surprise, we are having to compensate for that with many dirty hacks. HTTPS is one example: an attempt to create a secure (S) layer on top of an insecure basis (HTTP). HTTPS allows browsers to verify webservers’ authenticity, so we do not easily fall prey to phishing attacks. It also encrypts our traffic over the internet so no one can read its content in between us and the website. However, as any cryptographic tool, HTTPS is hard to do right, and you can check the security level of your web server configuration using the SSL Labs scanning tool: https://www.ssllabs.com/ssltest/.
Another try to fix the HTTP insecurity is the security headers one can configure on the webserver to boost its security level. The headers are powerful tools that instruct browsers how to behave with the data (and code) they receive from your website. In this way, you could improve your website security features and even prevent XSS attacks against your visitors. Check your webserver security headers and learn how to configure them: https://securityheaders.com/.
There are also many ways to test your website security using offline tools, such as security scanners. But it is a whole other story.