Full Disclosure mailing list archives
Re: iiscan results - a closer look
From: jack mannino <jack.a.mannino () gmail com>
Date: Sun, 10 Jan 2010 15:52:58 -0500
Have you ever performed the same analysis of the tests the paid scanning products perform? I think you would be amazed at the similarities in their general lack of intelligence and poor ability to make decisions based on context and/or environment. Also, what do you consider "good" about the checks it performed? Very basic ' or 1 =1 stuff, with basic URL encoding at the "high end" of the test cases. <rant> I'd argue that any organization without an application security program that would use IIScan or a similar solution is actually LESS secure if they don't understand that a simple scan isn't the same as having an actual approach. Finding a few simple holes and fixing them doesn't constitute improving your security posture, at all. </rant> -Jack On Fri, Jan 8, 2010 at 3:42 PM, <dd () sucuri net> wrote:
I played with it a little yesterday and posted my thoughts (as well as a summary of their whole scan) at: http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html It is a nice tool with some good checks looking for SQL, XSS, etc... I just think they didn't look deep enough in my site to check more stuff... --dd On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage <robin.sage () rocketmail com> wrote:If anyone has any more invite codes please send one to me. I tried the ones posted and they were not functional. I also emailed support and never received a response. Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or Acunetix ? How many trials do you get per invite code? Just 1 app? Thanks! ________________________________ From: Jardel Weyrich <jweyrich () gmail com> To: p8x <l () p8x net> Cc: full-disclosure () lists grok org uk Sent: Thu, January 7, 2010 9:33:07 AM Subject: Re: [Full-disclosure] iiscan results It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version. A more verbose logging strategy would demystify. Or maybe Vincent?_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: iiscan results - a closer look dd (Jan 10)
- Re: iiscan results - a closer look jack mannino (Jan 10)
- Re [2]: iiscan results - a closer look Vladimir Vorontsov (Jan 11)