Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AlertSite
Posted by: digi7al64
Date: December 26, 2006 07:39PM

http://www.alertsite.com/



Quote

AlertSite Security Vulnerability Scan identifies vulnerabilities real-time, categorizes the risks and then provides recommendations and solutions for improvement. Our powerful, up-to-date and easy-to-use remote security scan ensures your web sites, servers, routers, firewalls and Internet-connected devices are free of known vulnerabilities and pass the SANS Top 20 Internet Security Vulnerabilities as defined by SANS, the FBI and FedCIRC.


Ok, so they don't scan for xss, csrf or sql injections... but given that they have a shinny gif your site you could be forgiven for thinking (if you don't know anything about Web App Sec) you where safe using a site that has this service ($50 a month for a daily scan).

Also, i believe the text poses a bigger question "what do we categorize as known vulnerabilities"?. Everybody seems to scan for known vulnerabilities yet a common xss injection still manages to evade them.


Quote

Consumers who use their credit cards online want assurance their account information is safe.

http://www.autoeurope.com/sweepsform.cfm?email=%22><script>alert('xss');</script>

real safe!

Customer list
http://www.google.com/search?q=alertsite.com/security_seal/verify/&hl=en&lr=&filter=0

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: AlertSite
Posted by: WhiteAcid
Date: December 26, 2006 07:52PM

How about we inform alertsite about the flaw also CCing it to autoeurope?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: AlertSite
Posted by: jungsonn
Date: December 26, 2006 08:00PM

Yah this is getting to me, think i'm going to write a large blog item about these false profets soon. I really feel the need to do it, Those companies make big bucks by selling hot air.

Options: ReplyQuote
Re: AlertSite
Posted by: Mephisto
Date: December 26, 2006 08:50PM

OMG...Not another "We prevent hackers" scanning service...Didn't we already beat the other two into submission?!

Options: ReplyQuote
Re: AlertSite
Posted by: bubbles
Date: December 26, 2006 09:29PM

Man Im so excited I get to post on this one!!!!!11111oneone

http://search.lunawarehouse.com/?catalog=yhst-10635190115570&query=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=0&y=0

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: AlertSite
Posted by: kuza55
Date: December 26, 2006 09:53PM

digi7al64 Wrote:
-------------------------------------------------------
> Ok, so they don't scan for xss, csrf or sql
> injections...

Which they really should scan for considering all of those and a few more are on the SANS Top 20 Attack targets list for 2006: http://www.sans.org/top20/#c1

But I seriously doubt that constantly disclosing vulnerabilities in the sites they have scanned is going to make them do anything. Sure it pisses us off that there are sites claiming that they can prove you are secure because they ran a scan, but unless we are able to convince people, not that it doesn't work, but that it is bad for business, we're not going to get anywhere.

Because quite frankly I'm sure most places won't remove the gif because it gives their customers piece of mind, even when there is none to be had. And then when you do get attacked, it looks like you were trying to take measues against these kind of things, and don't lose too many customers because of lax security. So from a busniness perspective it makes sense to have a shiny gif, whether it means anything or not.

Options: ReplyQuote
Re: AlertSite
Posted by: digi7al64
Date: December 26, 2006 10:27PM

I agree with you kuza55 - FD on the sites using these products are more then likely not going to change anything from a commercial perspective... but sooner or later (hopefully) mainstream media will start to take notice and hopefully more people will become aware.

So far we have successfully targeted the following sites which at a minimum would cover at least 100,000 sites between them. So, given on average I've had a 50% strike rate in my testing, we could assume 50,000 of them are vulnerable one way or another. Now consider if each had a minimum user base of 100 users that puts the total users at risk to be around 5,000,000 users (sweet pickings for a cyber-crim).

> AlertSite
> HackerSafe
> ControlScan, and
> HackerGuard

Either way though, the problem i see in the future is that hackers will eventually begin targeting these site more frequently. It makes sense, the admins believe they are secure so traffic analysis for attacks and code auditing etc for vulnerabilities are less likely to occur. Target lists can be found in seconds with simple google dorks and you can bet the sites won't be publishing a news item about how they were hacked.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: AlertSite
Posted by: kane_666
Date: December 26, 2006 10:51PM

For a company selling web site security they should really secure their own...

http://www.alertsite.com/

On the left column you'll see a Subscribe to their emailing list.
Put in:

"><script>alert('xss')</script>

lol :P

Options: ReplyQuote
Re: AlertSite
Posted by: jungsonn
Date: December 27, 2006 08:15AM

If we we're ultra ultra smart we would start such a company together here, which offers a REAL scan service. We could make big bucks my friends ;)

Options: ReplyQuote
Re: AlertSite
Posted by: jungsonn
Date: December 27, 2006 11:19AM

@kuza55 who wrote:
Quote

Sure it pisses us off that there are sites claiming that they can prove you are secure because they ran a scan,

Yep! It only proves how little they actually know about web-security. Anyone who thinks that only scan is going to save the day, has to look deeper into the matter.

@digi
Quote

It makes sense, the admins believe they are secure so traffic analysis for attacks and code auditing etc for vulnerabilities are less likely to occur.
Correct, it doesn't keep them on their toes anymore



Edited 1 time(s). Last edit at 12/27/2006 11:20AM by jungsonn.

Options: ReplyQuote
Re: AlertSite
Posted by: Kyran
Date: December 27, 2006 04:21PM

SnakeOil.gif. Sounds like a nice product to sell.

- Kyran

Options: ReplyQuote
Re: AlertSite
Posted by: nEUrOO
Date: December 27, 2006 04:43PM

jungsonn Wrote:
-------------------------------------------------------
> Yep! It only proves how little they actually know
> about web-security. Anyone who thinks that only
> scan is going to save the day, has to look deeper
> into the matter.
Oh yeah and this is very frustrating! Tools are expensive and you can easily do better with often simple actions. I hope it will change but it seems not realistic.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote


Sorry, only registered users may post in this forum.