Show HN: Check for web application security issues.

Show HN: Check for web application security issues.(webscanservice.com)

23 points by mcorrientes 14 years ago | 25 comments

tptacek 14 years ago |

I can see you're not really selling to an informed audience (and that's fine!) but I really think you want to sacrifice some of the Google-like simplicity of your front page to explain what, exactly, you're testing on target sites.

Some reasons to at least give broad strokes about how you're testing:

(i) Testing for some kinds of web flaws is inherently intrusive; for instance, it's very hard to reliably test for stored XSS without potentially disrupting an application for users.

(ii) Aggressive spidering will create performance issues for some clients, and "oh well you should have known better" isn't going to stanch the PR bleeding when you take someone's site down.

(iii) If you're doing authz testing, you will eventually find a site where a post-auth crawl will delete huge swaths of database entries because someone implemented "delete" as a vanilla GET link.

(iv) (To me, the most important) Lots of uninformed clients will run something like this and feel confident they've checked the "security" part of their deployment checklist; without knowing exactly what you're testing for (and ideally being up front about the things you don't test for), you can give clients a really dangerous false confidence.

jay_l 14 years ago | |

I agree with this. I think many users won't be willing to go through with the verification step unless they have some clue about what this site actually does.

After all, you're targeting users who, even if they aren't incredibly informed, at least have enough technical savvy to be running a site.

Natsu 14 years ago | |

You're absolutely right. It's important for people to know what you're testing. Point (iii) in particular is all too real:

http://thedailywtf.com/Articles/The_Spider_of_Doom.aspx

pors 14 years ago |

> Please create a "webscan.html" file with the content "scanme"

I advice you to make the contents of this file unique for each website, otherwise:

- i can check 1000s of sites for the existence of webscan.html

- enter the sites that have such a file

- see the vulnerabilities of sites I don't own.

swalberg 14 years ago | |

I think you mean the file name, not the contents.

borski 14 years ago | | |

Actually, filename wouldn't work because some sites just return 200 instead of a 404, against the standards.

pors 14 years ago | | |

At least one of them :)

mcorrientes 14 years ago | |

Good point. I'll fix that. Thank you.

TomGullen 14 years ago |

Doesn't work. I add the webscan.html file then scan again and get an empty response every time. URL is https://www.webscanservice.com/index.php/startscan as well I don't know if that's correct or not.

mcorrientes 14 years ago | |

I'm sorry for the circumstances, it should work now.

sgerrand 14 years ago | |

I experienced the same issue.

melvinram 14 years ago | |

Same here.

TomGullen 14 years ago | | |

Not sure why it's front page and getting upvoted when it doesn't do anything at all. Seems like a good idea though if it works, curious to see what sort of things it checks for.

borski 14 years ago |

Happy to see more people who care about security. We run a seemingly similar service, although I can't seem to get this one working. I'd definitely check out other ways of verifying the domain though, since this leaves all your customers open to the Google Hacking of searching for webscan.html for sites a hacker can toss through your system.

http://www.tinfoilsecurity.com

xd 14 years ago |

I'm attempting to scan a site that is accessed via https but it seems to default to http.

gws 14 years ago |

it just opens a blank page...(https://www.webscanservice.com/index.php/startscan)

mcorrientes 14 years ago |

I'm sorry if your scan might take a while, the machine just can't handle this amount of traffic.

vineetdhanawat 14 years ago |

Nothing! Just a blank page.

Gigablah 14 years ago |

Where's the button to stop a scan?

aninimus 14 years ago |

You should update "Log" tab with "Scan Queued ETA: X" and/or "Scan Started". How long should it take to start scanning?

shakesbeard 14 years ago |

FYI: Seems to work now.

borski 14 years ago | |

Have you actually gotten any results? I just get a nav bar with nothing in any of the tabs.

shakesbeard 14 years ago | | |

Yes. Just wait some minutes. I guess the server is under heavy load.

Got some false positives though. For example "PHP Admin Application" and "PHP Debug Application" for files <root>/admin.php and <root>/debug.php which both do not exist actually.

clone1018 14 years ago |

Noticed the site is super slow, if you need help hosting this just let me know.

billpatrianakos 14 years ago |

I wasn't able to try yet because of the required file but it looks cool so far. So far I'd suggest letting people know they need to add the webcam file first. Or if that's already there make it more prominent as its not really obvious. I'm checking it out on my iPad, maybe the desktop version makes that point clearer.