Have you ever performed the same analysis of the tests the paid scanning
products perform? I think you would be amazed at the similarities in their
general lack of intelligence and poor ability to make decisions based on
context and/or environment.
Also, what do you consider good about the checks it performed? Very basic
' or 1 =1 stuff, with basic URL encoding at the high end of the test
cases.
rant
I'd argue that any organization without an application security program that
would use IIScan or a similar solution is actually LESS secure if they don't
understand that a simple scan isn't the same as having an actual approach.
Finding a few simple holes and fixing them doesn't constitute improving your
security posture, at all.
/rant
-Jack
On Fri, Jan 8, 2010 at 3:42 PM, d...@sucuri.net wrote:
I played with it a little yesterday and posted my thoughts (as well as
a summary of their whole scan) at:
http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html
It is a nice tool with some good checks looking for SQL, XSS, etc... I
just think they
didn't look deep enough in my site to check more stuff...
--dd
On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage robin.s...@rocketmail.com
wrote:
If anyone has any more invite codes please send one to me.
I tried the ones posted and they were not functional.
I also emailed support and never received a response.
Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or
Acunetix ?
How many trials do you get per invite code? Just 1 app?
Thanks!
From: Jardel Weyrich jweyr...@gmail.com
To: p8x l...@p8x.net
Cc: full-disclosure@lists.grok.org.uk
Sent: Thu, January 7, 2010 9:33:07 AM
Subject: Re: [Full-disclosure] iiscan results
It's probably trying to get different results/responses by changing
the values of some request headers. The most common scenario, as far
as I've seen, and as oddly as it might sound, is the User-Agent and
HTTP minor version.
A more verbose logging strategy would demystify. Or maybe Vincent?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/