Recently I am trying to improve my knowledge on both general security and web security concepts. I was going through technical articles, blogs, and pluralsight courses. Also started attending the monthly OWASP tech meetup, where they mainly discuss on the security concepts and related technologies.

In Pluralsight, there are lot of security courses authored by Troy Hunt, where he clearly explains the concepts in a simple manner. Even in his blog, there are wonderful articles. I learned a lot from his courses and articles.

This ASafaWeb, is the tool developed by Troy Hunt, for specifically analyzing the ASP.NET websites for any security risks. This tool can analyze the vulnerabilities of the hosted site, and also it doesn’t require any access to the code. It mainly send some extra HTTP requests to the given site URL, and give us the report by analyzing the responses.

The security check is mainly done for the following,

  1. Tracing
  2. Custom Errors
  3. Stack Trace
  4. Request Validation
  5. HTTP to HTTPS redirect
  6. Hash DoS patch
  7. ELMAH log
  8. Excessive Headers
  9. HTTP only cookies
  10. Secure cookies
  11. Clickjacking
  12. View state MAC

ASafaWeb only checks for the common configuration related vulnerabilities, but there are many other security related aspects, like SQL injection, Cross Site Scripting, and Cross-Site Request Forgery, etc..

So for what are we waiting, just go to ASafaWeb, and enter your ASP.NET website URL, and click on Scan to get the report. We can also Schedule the scans, but we need to register for that. Currently it is in Beta stage.