A closer look at the iiscan

The free IIScan was recently announced on the full-disclosure list and I took the time to review it. They announced it as a new generation web app security platform to detect XSS, sql injection, etc. All online and free.

Let’s see how it worked… I tried it against the http://sucuri.net site and that’s what they did:

IP addresses used
They used two ips: 216.18.22.46 and 58.60.26.171

User agent
That’s what their user agent looked like: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0″

Actions
They started by trying to check the 404 results and getting a few initial files:

GET / HTTP/1.0 200
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET /robots.txt HTTP/1.1 404

After that, they tried the PUT, TRACE, TRACK and DELETE methods (sometimes more than once for the same file):

TRACE /TRACE_test HTTP/1.1 200
PUT /jsky_web_scanner_test_file.txt HTTP/1.1 405
PUT /jsky_test.txt HTTP/1.1 405
DELETE /Jsky_test_no_exists_file.txt HTTP/1.1 405
TRACE /TRACE_test HTTP/1.1 200
TRACK /TRACK_test HTTP/1.1 501

After that they tried a few more simple attacks:

GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404
GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404

Then looked for common mistakes, like zipped php files, logs expose, etc. Plus it checked for common application directories (wp-content, etc):


GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET / HTTP/1.0 200
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /sitemap.gz HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET / HTTP/1.0 200
GET /server-info HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET / HTTP/1.0 200
GET /robots.txt HTTP/1.1 404
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET / HTTP/1.1 200
GET /wp-content/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /logfiles/ HTTP/1.1 404
GET / HTTP/1.1 200
GET /index.php.BAK HTTP/1.0 404
PUT /jsky_test.txt HTTP/1.1 405
GET /index.php.zip HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /sitemap.gz HTTP/1.1 404
GET /index.php.BAK HTTP/1.0 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /index.php.zip HTTP/1.0 404
GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET /rss.xml HTTP/1.1 302
GET /index.php.ZIP HTTP/1.0 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /index.php.tar.gz HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /index.php.temp HTTP/1.0 404
GET /server-info HTTP/1.1 404
GET /wp-content/ HTTP/1.1 404
GET /logfiles/ HTTP/1.1 404
GET /index.php.save HTTP/1.0 404
GET /main.css HTTP/1.1 200
GET /index.php.backup HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.orig HTTP/1.0 404
GET /log/ HTTP/1.1 404
GET /index.php~ HTTP/1.0 404
GET /data/ HTTP/1.1 404
GET /logs/ HTTP/1.1 404
GET /index.php~1 HTTP/1.0 404
GET /index.php.cs HTTP/1.0 404
GET /datas/ HTTP/1.1 404
GET /?page=home HTTP/1.1 200
GET /index.php.java HTTP/1.0 404
GET /example/ HTTP/1.1 404
GET /index.php.class HTTP/1.0 404
GET /examples/ HTTP/1.1 404
GET /index.php.rar HTTP/1.0 404
GET /upload/ HTTP/1.1 404
GET /WebService/ HTTP/1.1 404
GET /index.php.tmp HTTP/1.0 404
GET /inc/ HTTP/1.1 404
GET /include/ HTTP/1.1 404
GET /old/ HTTP/1.1 404
GET /manage/ HTTP/1.1 404
GET /db/ HTTP/1.1 404
GET /aspnet/ HTTP/1.1 404
GET /htdocs/ HTTP/1.1 404
GET /conf/ HTTP/1.1 404
GET /config/ HTTP/1.1 404
GET /private/ HTTP/1.1 404
GET /admin/ HTTP/1.1 404
GET /administrator/ HTTP/1.1 404
GET /webadmin/ HTTP/1.1 404
GET /database/ HTTP/1.1 404
GET /samples/ HTTP/1.1 404
GET /member/ HTTP/1.1 404
GET /members/ HTTP/1.1 404
GET /pass.txt HTTP/1.1 404
GET /passwd HTTP/1.1 404
GET /users.txt HTTP/1.1 404
GET /users.ini HTTP/1.1 404
GET /install.log HTTP/1.1 403
GET /database.inc HTTP/1.1 404
GET /.bash_history HTTP/1.1 404
GET /.bashrc HTTP/1.1 404
GET /Web.config HTTP/1.1 404
GET /Global.asax HTTP/1.1 404
GET /Global.asa HTTP/1.1 404
GET /Global.asax.cs HTTP/1.1 404
GET /test.asp HTTP/1.1 404
GET /test.php HTTP/1.1 404
GET /test.jsp HTTP/1.1 404
GET /test.aspx HTTP/1.1 404
GET /admin.asp HTTP/1.1 404
GET /data.mdb HTTP/1.1 404

After that, they detected my page structure and tried a few SQL injections, XSS and other attacks on them:

GET /index.php?page=scan&page;=scan?scan=88888 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.html?page=home%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=homealert(42873) HTTP/1.1 404
GET /index.html?page=home%2527 HTTP/1.0 404
GET /?page=docs&title;=daily HTTP/1.1 200
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%5C' HTTP/1.0 404
GET /index.html?page=home%5C%22 HTTP/1.0 404
GET /index.html?page=homeJyI%3D HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home%bf%27 HTTP/1.0 404
GET /?page=practical&pid;=13 HTTP/1.1 200
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home/ HTTP/1.0 404
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home%20and%205=6 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

They also found another page inside (the daily tips) and tried more attacks:

GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%2527 HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=dail y%5C' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%5C%22 HTTP/1.0 404
GET /index.html?page=docs&title;=dailyJyI%3D HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%bf%27 HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily/ HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=practical&pid;=13alert(42873) HTTP/1.1 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%2527 HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13JyI%3D HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%bf%27 HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13/ HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

And that was the whole scan. The only issue they found was that we allowed the TRACE method, but I think they did a good job looking for different types of vulnerabilities.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://www.pentestit.com Black

    I concur! Their machine is VERY intrusive. My 404's shot up to around 154 MB's. Of course, I know that about 20 MB's of them 404's was due to trial and errors of "every one else".

  • Rasmus

    Some of those requests seem quite broken if they were logged correctly:

    GET /index.php?page=scan&page;=scan?scan=88888

    What's with the double ? there?

  • http://twitter.com/napolebsis napolebsis

    Hy, do you probably have an invite code left for me? Searched the web for nearly an hour or so but didn't find one which worked.. Would be fantastic!

    Thanks in advance! :)

  • http://sucuri.net dd@sucuri.net

    Rasmus: Yes, those are posted exactly how they were executed…

    napolebsis: try: d560e07a3b8aac06 it is the last one I have left…

  • http://bothunters.pl Borys Łącki

    Maybe this double check is – HTTP PARAMETER POLLUTION test…

  • http://www.mtl-services.com MTL-Services

    Hey there,
    does anyone have an invite code left? All codes I found on the internet were already used.
    Thanks for your help!

  • http://www.blogger.com/profile/05044980262598010701 Junior

    Anyone know how to get the codes or have any left?

    Help…

    Thanks you.

  • http://www.blogger.com/profile/06950680233029380929 Marc Ruef

    Hello,

    Nice technical analysis, I like it!

    Today, I have published another review in our labs blog. Unfortunately, it is on German only ;( !

    http://www.scip.ch/?labs.20100122

    Regards,

    Marc