Have you ever performed the same analysis of the tests the paid scanning products perform? I think you would be amazed at the similarities in their general lack of intelligence and poor ability to make decisions based on context and/or environment.
Also, what do you consider "good" about the checks it performed? Very basic ' or 1 =1 stuff, with basic URL encoding at the "high end" of the test cases. <rant> I'd argue that any organization without an application security program that would use IIScan or a similar solution is actually LESS secure if they don't understand that a simple scan isn't the same as having an actual approach. Finding a few simple holes and fixing them doesn't constitute improving your security posture, at all. </rant> -Jack On Fri, Jan 8, 2010 at 3:42 PM, <[email protected]> wrote: > I played with it a little yesterday and posted my thoughts (as well as > a summary of their whole scan) at: > > http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html > > It is a nice tool with some good checks looking for SQL, XSS, etc... I > just think they > didn't look deep enough in my site to check more stuff... > > > --dd > > > > On Thu, Jan 7, 2010 at 11:58 AM, Robin Sage <[email protected]> > wrote: > > If anyone has any more invite codes please send one to me. > > I tried the ones posted and they were not functional. > > I also emailed support and never received a response. > > > > Has anyone compared this to AppScan, WebInspect, Sentinnel, Qualys or > > Acunetix ? > > How many trials do you get per invite code? Just 1 app? > > > > Thanks! > > > > ________________________________ > > From: Jardel Weyrich <[email protected]> > > To: p8x <[email protected]> > > Cc: [email protected] > > Sent: Thu, January 7, 2010 9:33:07 AM > > Subject: Re: [Full-disclosure] iiscan results > > > > It's probably trying to get different results/responses by changing > > the values of some request headers. The most common scenario, as far > > as I've seen, and as oddly as it might sound, is the User-Agent and > > HTTP minor version. > > > > A more verbose logging strategy would demystify. Or maybe Vincent? > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
