Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iiscan results - a closer look

From: jack mannino <jack.a.mannino () gmail com>
Date: Sun, 10 Jan 2010 15:52:58 -0500
Have you ever performed the same analysis of the tests the paid scanning
products perform?  I think you would be amazed at the similarities in their
general lack of intelligence and poor ability to make decisions based on
context and/or environment.

Also, what do you consider "good" about the checks it performed?  Very basic
' or 1 =1 stuff, with basic URL encoding at the "high end" of the test
cases.

<rant>

I'd argue that any organization without an application security program that
would use IIScan or a similar solution is actually LESS secure if they don't
understand that a simple scan isn't the same as having an actual approach.
Finding a few simple holes and fixing them doesn't constitute improving your
security posture, at all.

</rant>

-Jack

On Fri, Jan 8, 2010 at 3:42 PM, <dd () sucuri net> wrote:


I played with it a little yesterday and posted my thoughts (as well as
a summary of their whole scan) at:

http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html

It is a nice tool with some good checks looking for SQL, XSS, etc... I
just think they
didn't look deep enough in my site to check more stuff...


--dd



On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage <robin.sage () rocketmail com>
wrote:

If anyone has any more invite codes please send one to me.
I tried the ones posted and they were not functional.
I also emailed support and never received a response.

Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or
Acunetix ?
How many trials do you get per invite code? Just 1 app?

Thanks!

________________________________
From: Jardel Weyrich <jweyrich () gmail com>
To: p8x <l () p8x net>
Cc: full-disclosure () lists grok org uk
Sent: Thu, January 7, 2010 9:33:07 AM
Subject: Re: [Full-disclosure] iiscan results

It's probably trying to get different results/responses by changing
the values of some request headers. The most common scenario, as far
as I've seen, and as oddly as it might sound, is the User-Agent and
HTTP minor version.

A more verbose logging strategy would demystify. Or maybe Vincent?



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: