Re: [Full-disclosure] iiscan results - a closer look

2010-01-10 Thread jack mannino 
Have you ever performed the same analysis of the tests the paid scanning
products perform?  I think you would be amazed at the similarities in their
general lack of intelligence and poor ability to make decisions based on
context and/or environment.

Also, what do you consider good about the checks it performed?  Very basic
' or 1 =1 stuff, with basic URL encoding at the high end of the test
cases.

rant

I'd argue that any organization without an application security program that
would use IIScan or a similar solution is actually LESS secure if they don't
understand that a simple scan isn't the same as having an actual approach.
Finding a few simple holes and fixing them doesn't constitute improving your
security posture, at all.

/rant

-Jack

On Fri, Jan 8, 2010 at 3:42 PM, d...@sucuri.net wrote:

 I played with it a little yesterday and posted my thoughts (as well as
 a summary of their whole scan) at:

 http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html

 It is a nice tool with some good checks looking for SQL, XSS, etc... I
 just think they
 didn't look deep enough in my site to check more stuff...


 --dd



 On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage robin.s...@rocketmail.com
 wrote:
  If anyone has any more invite codes please send one to me.
  I tried the ones posted and they were not functional.
  I also emailed support and never received a response.
 
  Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or
  Acunetix ?
  How many trials do you get per invite code? Just 1 app?
 
  Thanks!
 
  
  From: Jardel Weyrich jweyr...@gmail.com
  To: p8x l...@p8x.net
  Cc: full-disclosure@lists.grok.org.uk
  Sent: Thu, January 7, 2010 9:33:07 AM
  Subject: Re: [Full-disclosure] iiscan results
 
  It's probably trying to get different results/responses by changing
  the values of some request headers. The most common scenario, as far
  as I've seen, and as oddly as it might sound, is the User-Agent and
  HTTP minor version.
 
  A more verbose logging strategy would demystify. Or maybe Vincent?
 

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Flex website scanners

2009-08-25 Thread Jack Mannino 
Check out SWFScan.  It does what a scanner is supposed to do, which is 
find low-hanging vulnerabilities.  The tool does a pretty good job at 
decompiling for the most part, but you still really need to do manual 
analysis on the code!!  You should never rely on ANY scanner to do 100% 
of your analysis.

Link- 
https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf

-Jack Mannino

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/