I need to make sure the site is secure, what are some ways I can test this?  My boss is in a rush because of the deadline and he mentioned to test out javascript, like <script>alert('SUCKS')</script>  for example.  (Which works, by the way.)

 The site isn't launched yet, so I can't release the name or server.  You'll all get your chance to take it down in a couple days ;)

 Until then, could anyone drop a few methods they would use that we can get a head start on testing/fixing ?

 

Thanks!

Um, WTF does the site do? What are you trying to test? Based upon your incredibly vague question, I can provide this incredibly vague answer: Did you try the thing with the stuff?

 Right :)

It's a pretty typical site, written in Ruby with Merb + Datamapper.  It's got person signup, typical database item creation with user input, image uploads, it's got the cute google map widget, and some custom forums. What other info would be helpful?

vices:

What other info would be helpful?

What kind of security are you checking? Presumably not at the httpd or server levels, right? So you're probably interested in XSS and SQL injection type stuff?

 SQL injections are covered by datamapper, our primary concern is with javascript/html attacks.

Do you have a business need to allow users to add HTML and/or Javascript to whatever it is they input into the system? If not, outright disallow HTML. If so, figure out how much is needed and what elements specifically you'll need and suppress the rest from the parse tree. This isn't really something you should need help with. If you don't want your users using bad HTML, then deny them the ability to do this.

vices:

 SQL injections are covered by datamapper, our primary concern is with javascript/html attacks.

 

Well then..

1. for every page/script
1. for every post/get parameter parsed by the page/script 
1. Check that the parameter is validated properly
2. determine if the parameter value is used anywhere in the site structure (i.e. display.rb?title=Foo)
3. If it does, make sure that either the output is properly html-encoded, or that html entities are stripped
2. for every user-editable field in the database
1. check where it is updated
1. ensure that html entities are properly handled (i.e. removed, escaped)
2. check where it is accessed
1. ensure that it is properly escaped.You really only need to have one of the two, i.e. sanitize values before storing it in the DB, or sanitize it when displaying. If you do both, you'll end up with double-escaped HTML tags and such ugliness

This, of course, assumes that users have no need to enter HTML formatted content anywhere on the site. If they do, you're pretty much already lost. If the site is build around html content, then you'll need a method of sanitizing this content to remove javascript, flash, links to local scripts that take get parameters (i.e. <a href=""localsite/profile.rb?action=delete&confirm=yes">boobies!</a>), forms, etc. it's easier to move to a diferent markup (see: BBcode) than getting this right.

Nandurius:

(i.e. <a href="localsite/profile.rb?action=delete&confirm=yes">boobies!</a>)

Which would of course be a gaping security hole in its own right. Even if you sanitized your own site until your ears ring, someone could just put this into an [img] tag on some third party forum and post an innocent link to it.

this should cover XSS :)

http://ha.ckers.org/xss.html