full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iiscan results - a clo

Re: [Full-disclosure] iiscan results - a closer look

From: jack mannino <jack.a.mannino_at_nospam>
Date: Sun Jan 10 2010 - 20:52:58 GMT
To: dd@sucuri.net


Have you ever performed the same analysis of the tests the paid scanning products perform? I think you would be amazed at the similarities in their general lack of intelligence and poor ability to make decisions based on context and/or environment.

Also, what do you consider "good" about the checks it performed? Very basic ' or 1 =1 stuff, with basic URL encoding at the "high end" of the test cases.

<rant>

I'd argue that any organization without an application security program that would use IIScan or a similar solution is actually LESS secure if they don't understand that a simple scan isn't the same as having an actual approach. Finding a few simple holes and fixing them doesn't constitute improving your security posture, at all.

</rant>

-Jack

On Fri, Jan 8, 2010 at 3:42 PM, <dd@sucuri.net> wrote:

> I played with it a little yesterday and posted my thoughts (as well as
> a summary of their whole scan) at:
>
> http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html
>
> It is a nice tool with some good checks looking for SQL, XSS, etc... I
> just think they
> didn't look deep enough in my site to check more stuff...
>
>
> --dd
>
>
>
> On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage <robin.sage@rocketmail.com>
> wrote:
> > If anyone has any more invite codes please send one to me.
> > I tried the ones posted and they were not functional.
> > I also emailed support and never received a response.
> >
> > Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or
> > Acunetix ?
> > How many trials do you get per invite code? Just 1 app?
> >
> > Thanks!
> >
> > ________________________________
> > From: Jardel Weyrich <jweyrich@gmail.com>
> > To: p8x <l@p8x.net>
> > Cc: full-disclosure@lists.grok.org.uk
> > Sent: Thu, January 7, 2010 9:33:07 AM
> > Subject: Re: [Full-disclosure] iiscan results
> >
> > It's probably trying to get different results/responses by changing
> > the values of some request headers. The most common scenario, as far
> > as I've seen, and as oddly as it might sound, is the User-Agent and
> > HTTP minor version.
> >
> > A more verbose logging strategy would demystify. Or maybe Vincent?
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/