The video was for personal teaching purposes only and shouldn’t become that public, so please ignore the home pc desktop and the non business environment.

I hope you enjoy it.

..Max

Because of the soaring web security scans and to thank you stabilizing our scan service, we decided to offer the scanning, certification and reporting completly free for another month.

Have fun scanning and do us a favor by recommending our service.

The documentation how to use the WCF API is available at: http://developer.german-websecurity.com/

The complete scan and report management can be handled over the API.

If you want to use the scanner over the WCF API for your own service, please send us a email for a quote.

You’re able now, to scan one month all your websites for free, only the seal installation for owner verification purposes is required.

You don’t have to pay for the result or for the scan.

For this time Web Scan Service will not be limited, you see the scan result and you’re able to create reports.

 This special offer starts today !

So we took a volunteer user, which scanned the websites with our scanning services and we added another column with our result to the larry suto’s report.

The untrained vulnerabilites could be found by the user without any help from us, the trained part means the user needed some help to set up the scan.

The Accurancy Of Web Application Security Scanner

The Point and Shoot Result

The Trained Result

The complete report can be downloaded now: Vendor_Comparision

If someone would like to scan those sites, or if you already have scanned those websites and you need the scans unlocked, please let us know, we’re going to set your test scans to purchased ones.

HTML and SQL Injection’s can be placed into a barcode, which can exploit barcode reader if developers didn’t take care about the security from this vector.

So i created a 128-A barcode online, the barcode contains a html script.

And that’s the result if developer don’t santize the data from the barcode reader.

Possible could be also a sql injections, if developers have the barcode reader connected with a database.

Note:

The owner of this website has been informed.

Improved: Cross Site Scripting signatures

Fixed: Login Sent Unencrypted signature didn't match always

Fixed: Login Sent Over Query signature didn't match always

Added: ASP.Net Form Support

Improved: Removed request overhead for websites which includes forms

Web Scan Service
Online verification style changed, a certificate has to be installed on the website before scanning is possible.

We’ve tested the behaviour of Acunetix, WebInspect, Appscan and WebScanService on a website with a rewrite for a special keyword.

Rewrites are often used for Search Engine Friendly URLs that changes the usually filename with query scheme  (i.e. /index.php?id=14) to something more readable for search engines (i.e. /news/).

While working with several companies I’ve seen rewrites on special extensions (i.e. “.001-.100″ or “.bak”), which often leads to false positives in many scanners, so i decided to create a testpage with the same base by creating a rewrite on the match “test”.

Rewrites based on a request which contains test leading to problems and false positives in many scanner, because they can’t detect if the requested file really exist, specially if the server doesn’t respond with a 404 (Not Found) status code.

Problems also often occur if rewrites are only enabled for a special filenames, extensions or folders.

Because of so many different customer requests for more improvements on the rewrite engine we’re able to scan websites with rewrites without any problems, which leads other scanner to false positives.

Each scanner has checks for files which contains “test” in the requested filename and for this test, each scan has been started with the default settings.

So for this test i created some folders, a rewrite.html which will be given out if the requested url contains “test” and a index.html which links to blank.html in the css, images and js folder.

After creating the testpage, it’s time to create a rewrite which leads automaticly to the rewrite.html if the request contains a special keyword (i.e. test).

With the created rewrite it’s now possible to see how bad most of the scanner behave if they’re not able to verify if their requested file really exist.

Acunetix finds on each folder 9 of his requested files, which leads to many false positives.

AppScan found his requested files but only found 3 “Test Scripts” in the CSS, JS and Images folder, I’m not quite sure if their integrated detection avoids further false positives or if the scan engine doesn’t request the other files also in those folder.

WebInspect is even worse, it doesn’t even find the requested files, it also finds not existent folders which contains his not existent files.

Same with NetSparker, i had to use “.bak” as rewrite because no signature with “test” as file request exists.

WebScanService didn’t had any false positives and we’re able to handle the rewrite.

Because of the lack of time i didn’t created a realistic website structure, it would have been nice to see if a scanner even would crash on a page with at least 30 folders..

[EDIT]

I had some time and complicated the rewrite to show how effective our scanning technology is.

For this test I’ve increased the complexity of the rewrite.

I created a test.html file in the css folder, which should really be reachable, so i added a condition which disables the rewrite if the test.html file is requested.

As you scan see, in this testwe’re not only false positive free, we also found the file which really exist.

If a independent author or security consultant would like to repeat this test, please feel free to send us a email and we’re going to set your scans free.

]]> http://labs.german-websecurity.com/en/blog/?feed=rss2&p=12 1 http://labs.german-websecurity.com/en/blog/?p=3 http://labs.german-websecurity.com/en/blog/?p=3#comments Tue, 13 Apr 2010 23:50:58 +0000 Maximilian Corrientes http://labs.german-websecurity.com/?p=3 Improved: Blind SQL Injection Signatures Fixed: Lagging UI on a scan setup Fixed: Scanner didn't crawl sites which had set a invalid cookie before Fixed: PHP Source Code Disclosure Signature has been improved Fixed: Automatic first scan selection on deletion / resuming and stopping of any other scan Added: Additional detection mechanism for rewrites Fixed: Certificate text overlay if windows is resized Fixed: Missing style for active links in the navigation ]]> http://labs.german-websecurity.com/en/blog/?feed=rss2&p=3 1