Инструменти за тестове и самообучение по информационна сигурност

The Secure Socket Layer (SSL) configuration lab

This is a cybersecurity lab that is offered by Wormly. You can refer to it at 

https://www.wormly.com/test_ssl 

It allows you to conduct a deep analysis of the SSL configuration of a web server. This is an important test since misconfigured SSL can introduce security vulnerabilities that can be exploited by cybercriminals to steal data that is stored, sent, or received by the server or can be exploited to carry out Denial of Service (DoS) attacks.
Additionally, a misconfigured SSL web server can slow down websites, thereby degrading a user's experience.

In this lab, a cybersecurity expert can identify the security configuration weaknesses or errors in web servers. It is important to note that SSL certificates are vital for securing communication between web clients and web servers. The SSL certificate ensures that all data that is exchanged between a web server and a browser is kept private and secure through encryption. Wormly offers a simplified interface where you can enter either the URL or public IP address of the web application whose SSL server is to be scanned. You can then click on the Start SSL test button to begin the test.

The tool provides important information about the SSL certificate that is in use, such as validity duration and trust level. The report also includes security information such as whether the encryption ciphers in use are strong, the public key size, the security protocols in use, and their version and performance information, such as SSL handshake size, TLS stateless resume, and SSL session cache. This information allows you to identify any weaknesses in SSL configuration so that appropriate measures can be taken to correct the weaknesses before criminals can exploit them. A cybersecurity expert will easily interpret and fix the errors that this tool highlights.

Източник: 

Cybersecurity: The Beginner'sGuide - Dr. Erdal Ozkaya

Инструменти за тестове и самообучение по информационна сигурност

Self-study cybersecurity lab

We will now discuss a number of online platforms that a cybersecurity professional can use for learning purposes. Some of the tools that will be covered are live and require authorization from the target to use. Therefore, exercise caution and do not run tests on highly sensitive or highly guarded websites. The end goal is to learn more about cybersecurity, so do focus on the results or reports given at the end of each exercise.

The cross-site scripting (XSS) lab

To begin with, a simple security lab that you can carry out is an XSS attack, which can be found at :

https://pentest-tools.com/website-vulnerability-scanning/xss-scanner-online

The XSS online scanner is a free online tool that is used for detecting XSS attacks and vulnerabilities on websites. In XSS attacks, hackers inject malicious JavaScript in trusted websites. The script can then be used to harm the affected websites and their visitors in a number of ways, such as by reading sensitive page content, injecting malicious scripts, cookie stealing, and website defacement.

The security lab is quite simple to carry out, since you are only expected to have a URL of a website to be scanned. The scanner will go through the provided website by trying to identify all the pages that have exploitable avenues for XSS attacks, such as contact forms and search boxes. The tool will then attempt XSS attacks on each of the potentially vulnerable pages. The scanner will then give a report of its findings concerning the XSS vulnerabilities that were found on the entire website.

The XSS scanner supports light and full scans. A light scan is less comprehensive as the maximum number of URLs that can be scanned is set at 20 and the maximum active scan duration is two minutes. The full scan is more comprehensive and can support a maximum of 500 URLs and a scan duration of 30 minutes.

To perform a scan, a user is required to provide three parameters:

1.The URL of the web application to be scanned
2.The type of scan
3.Confirmation that they have the authorization to scan the target application

It is important to note that the scanner generates HTTP requests that can be flagged as attacks on the server side, although they are not harmful. This is why you should mostly use the XSS Scanner on authorized targets to avoid prosecution for security violations. The tool provides a detailed report of identified XSS vulnerabilities or attacks. The report ca then be used to fix the vulnerabilities before attackers can exploit them.

Източник: 
Cybersecurity: The Beginner'sGuide - Dr. Erdal Ozkaya