full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iiscan results

Re: [Full-disclosure] iiscan results

From: Robin Sage <robin.sage_at_nospam>
Date: Thu Jan 07 2010 - 15:58:04 GMT
To: Jardel Weyrich <jweyrich@gmail.com>, p8x <l@p8x.net>


If anyone has any more invite codes please send one to me. I tried the ones posted and they were not functional. I also emailed support and never received a response.

Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or Acunetix ? How many trials do you get per invite code? Just 1 app?

Thanks!



From: Jardel Weyrich <jweyrich@gmail.com> To: p8x <l@p8x.net>
Cc: full-disclosure@lists.grok.org.uk
Sent: Thu, January 7, 2010 9:33:07 AM
Subject: Re: [Full-disclosure] iiscan results

It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version.

A more verbose logging strategy would demystify. Or maybe Vincent?

On Thu, Jan 7, 2010 at 12:28 PM, p8x <l@p8x.net> wrote:
> Hi Jan,
>
> I am not sure what you mean.
>
> Maybe I should clarify, I used some bash magic to make it a bit easier
> to read the results from my log file. Here is a copy of the log pre me
> making it easy to read: http://pastebin.com/m512018cb
>
> If you read the above log file you will be able to see the duplicate
> requests, as an example these two time stamps are have the same request:
>
> [07/Jan/2010:09:25:32 +0800]
> [07/Jan/2010:09:25:36 +0800]
>
> I did the test twice, so the results in my previous post that were
> requested twice can be ignored.
>
> p8x
>
> On 7/01/2010 10:08 PM, Jan G.B. wrote:
>> What you see is not an issue or error. It is, what the application is
>> supposed to do.
>>
>> * As you can see, these requests are not the same.
>> * Thinking about muiltiple POST requests on WP-Login or your "logs"
>> below, you could have guessed in the first place that the app is either
>> trying multiple Login/Passwort combinations or (as seen below) some
>> patterns to detect Injection possibilities.
>>
>> Regards
>>
>> 2010/1/7 p8x <l@p8x.net <mailto:l@p8x.net>>
>>
>> Hi Vincent,
>>
>> I also experied the same issue as mrx. I did see multiple get and post
>> requests to the same page.
>>
>> As an example, I took a random page with a form on it, here are the
>> totals:
>>
>> 2 /password.html
>> 2 /password.html?key=88888&form_validated=12345&submit_form=88888
>> 2 /password.html?key=88888&form_validated=12345&submit_form=88888'
>> 2
>> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
>> 2
>> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
>> 2
>> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
>> 2 /password.html?key=88888&submit_form=88888&form_validated=12345
>> 2 /password.html?key=88888&submit_form=88888&form_validated=12345'
>> 2
>> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
>> 2
>> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
>> 2
>> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
>> 2 /password.html?submit_form=88888&form_validated=12345&key=88888
>> 2 /password.html?submit_form=88888&form_validated=12345&key=88888'
>> 2
>> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
>> 2
>> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
>> 2
>> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
>> 4
>> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
>> 4
>> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
>> 4
>> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
>> 4
>> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
>> 4
>> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
>> 4
>> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
>> 4
>> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
>> 4
>> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
>> 4
>> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
>>
>> Also, the contact forms on the websites I tested got hammered with
>> emails (and they also seemed to have duplicate requests).
>>
>> p8x
>>
>> On 7/01/2010 8:00 PM, mrx wrote:
>> > Vincent,
>> >
>> > Although the actual results of the scan were displayed in English
>> in the online html report,
>> > the suggested solutions were in fact in Chinese.
>> >
>> > Checking my access logs reveals multiple attempts of the same
>> attack/probe, for example multiple identical POSTs to the same page:
>> >
>> > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
>> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
>> (compatible; MSIE 7.0; Windows
>> > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>> >
>> > There are around 100 entries identical to the above in my log. I
>> don't know if this is by design or not but it does seem to be a
>> little inefficient.
>> >
>> >
>> > I also noticed there were no attempts at information disclosure
>> via the TRACE method, nor were any attempts made at SQL injection
>> despite my
>> > selecting "all" in the scan options. Not that my site is
>> vulnerable in any way ;-)
>> >
>> > Hope this helps
>> >
>> > regards
>> > mrx
>> >
>> >
>> >
>> > Vincent Chao wrote:
>> >> Thank you for your analysis. It really helps me.
>> >
>> >> And I also found the PDF report mail to us is in Chinese, in the
>> website of
>> >> iiScan, however, to see the report of html or PDF format is
>> English (of
>> >> course can change to Chinese).
>> >
>> >> -----Original Message-----
>> >> From: full-disclosure-bounces@lists.grok.org.uk
>> <mailto:full-disclosure-bounces@lists.grok.org.uk>
>> >> [mailto:full-disclosure-bounces@lists.grok.org.uk
>> <mailto:full-disclosure-bounces@lists.grok.org.uk>] On Behalf Of mrx
>> >> Sent: Wednesday, January 06, 2010 8:45 PM
>> >> To: full-disclosure@lists.grok.org.uk
>> <mailto:full-disclosure@lists.grok.org.uk>
>> >> Subject: [Full-disclosure] iiscan results
>> >
>> >> Well, this scanner managed to find a couple of low level
>> vulnerabilities on
>> >> my site which were missed by both Nikto and Nessus.
>> >
>> >> Two directories allowed a directory listing and a test.php file I
>> created,
>> >> an information disclosure vulnerability, was also detected. My dumb
>> >> ass forgot to delete this "test.php" file after I finished
>> testing the
>> >> server.
>> >
>> >> Possible sensitive directories were also listed, however browsing
>> to these
>> >> directories returned 403 errors, blank pages or a wordpress logon
>> >> prompt, which is what I expected.
>> >
>> >> So all in all this scanner seems to do it's job well. At least
>> for a LAMP
>> >> server running wordpress
>> >
>> >> Of course I have addressed the vulnerabilities reported.
>> >
>> >> My command of the Chinese language is limited to zero, so I cannot
>> >> understand the pdf report emailed to me nor the information
>> within the web
>> >> based report. Hopefully the developers will address this language
>> problem.
>> >
>> >> regards
>> >> mrx
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> >
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/       



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/