SQL注入和XSS是程序员最常见的错误.好消息是，只要您拥有合适的软件，它们最容易自动测试.当我进行笔试时，我使用 Sitewatch 或 Wapiti 来查找Web应用程序漏洞. Acunetix价格过高.

SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use Sitewatch or Wapiti for finding web application vulnerabilities. Acunetix is over priced.

但是，您不能只是解雇一些自动化工具并期望一切正常.您选择的 ANY 漏洞扫描程序必须采取多种预防措施.

But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose.

1)确保php.ini中的display_errors = On SQL注入测试依赖于能够在响应页面中看到mysql错误消息！没有错误，没有检测到漏洞！

1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected!

2)扫描应用程序中已通过身份验证的区域.创建一个专门用于测试的用户帐户. Acuentix有一个简单的向导，您可以在其中创建登录序列.如果您使用的是wapiti，则可以为wapiti提供一个cookie或为wapiti发出启动后发出的启动请求，但这有点棘手.

2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky.

之后，您已经测试了应用程序，然后测试服务器是否配置错误. 要测试您的服务器，则需要运行 OpenVAS ，它是Nessus的新的更免费的版本，现已成为商业版.产品.然后，您应该使用 PhpSecInfo 进行后续操作.这些测试将通知您配置问题或运行的旧漏洞软件.

AFTER you have tested your application then test your server for misconfiguration. To test your server then you need to run OpenVAS which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with PhpSecInfo. These tests will notify you of problems with your configuration or if you are running old vulnerable software.

永远是没有100％安全的.不管您做什么，都会存在一些漏洞，尽管这些漏洞会不断蔓延.所有开发平台中都有一些漏洞，这些漏洞导致无法使用任何工具进行测试的折衷方案.您使用的测试工具中还存在一些错误.有错误的帖子和错误的否定词，还有一些不起作用的测试，这是一个很好的例子，我从未见过能真正发现合法漏洞的自动CSRF工具. Acunetix的CSRF测试完全浪费时间.

Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time.

还有 OWASP测试指南，其中有更详细的说明.请勿将此与 OWASP Top 10 混淆.也是极好的资源.对于PHP程序员来说， PHP安全指南也是一个很好的资源.

There is also the OWASP testing guide which goes into greater detail. This is not to be confused with the OWASP Top 10 which is also an excellent resource. The PHP Security Guide is also a great resource for php programmers.