Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HackerSafe - revisited
Posted by: bubbles
Date: October 21, 2007 01:39PM

I was browsing DP and I saw a thread discussing if buying hackesafe is worth the money...

http://forums.digitalpoint.com/showthread.php?t=475248

It cracks me up because one of the guys insists that they can scan for XSS/SQL even after I showed him the 3 page long thread of vulns in hackersafe sites. I gave up talking to him since he I don't think he understands the point I was trying to make about how XSS/SQL exploits are usually unique to the code/site and can't be scanned for.

Anyway, brought back up good memories ( I loved that other thread)... Figured someone here would get a kick out of it too.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: Jeffuk
Date: October 21, 2007 03:39PM

I think some XSS could be detected automatically..

Enter <Script>FOO</SCRIPT> plus a few obvious variations ("/><script>.. "<script>... ><script>... etc) in every possible injectable variable; then scan the response for that exact string.. and maybe even run the response through a cut down HTML parser.

Should pick up some possible vulns.. although I wouldn't use it to label anything as 'safe'.

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: Kyran
Date: October 21, 2007 04:41PM

Completely tossing aside the lack of attack vectors, I don't think there is an automated way to find every single variable that can be injected into.

-- Edit

Also they seem to have the whole security thing backwards. While prevention is nice, there WILL be breaches on any site involving more than one or two coders and even that is questionable. How you respond to the breaches is the key point.

- Kyran



Edited 1 time(s). Last edit at 10/21/2007 04:48PM by Kyran.

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: hackathology
Date: October 23, 2007 11:21PM

I blogged about hackersafe, they are totally bullshit, just another company that is making use of PCI to earn more $$

http://hackathology.blogspot.com

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: berz3k1
Date: October 27, 2007 06:18AM

The best manner to obtain data like XSS/SQL is manually maybe a little help like fuzzer/script but never a commercial product i am saying that because my customers sometimes don't have any idea.

-berz3k.

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: tx
Date: October 30, 2007 12:24PM

http://www.channelregister.co.uk/2007/10/30/mcafee_buys_hackersafe/
Looks like McAfee just shelled out $50m+ for ScanAlert.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: hackathology
Date: November 01, 2007 01:03AM

Damn, i just dont get it. What so great abt scanalert?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: HackerSafe - revisited
Posted by: id
Date: November 01, 2007 10:50AM

their customer base, so McAfee can up sell, they weren't bought for their technology.

I should register thisshinnybuttonwillmakeyousecure.com...mmm 50m

-id

Options: ReplyQuote


Sorry, only registered users may post in this forum.