A closer look at the iiscan

The free IIScan was recently announced on the full-disclosure list and I took the time to review it. They announced it as a new generation web app security platform to detect XSS, sql injection, etc. All online and free.

Let’s see how it worked… I tried it against the http://sucuri.net site and that’s what they did:

IP addresses used
They used two ips: 216.18.22.46 and 58.60.26.171

User agent
That’s what their user agent looked like: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0”

Actions
They started by trying to check the 404 results and getting a few initial files:

GET / HTTP/1.0 200
GET /never_could_exist_file.nosec HTTP/1.0 404 
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET /robots.txt HTTP/1.1 404

After that, they tried the PUT, TRACE, TRACK and DELETE methods (sometimes more than once for the same file):

TRACE /TRACE_test HTTP/1.1 200
PUT /jsky_web_scanner_test_file.txt HTTP/1.1 405
PUT /jsky_test.txt HTTP/1.1 405
DELETE /Jsky_test_no_exists_file.txt HTTP/1.1 405
TRACE /TRACE_test HTTP/1.1 200
TRACK /TRACK_test HTTP/1.1 501

After that they tried a few more simple attacks:

GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404
GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404

Then looked for common mistakes, like zipped php files, logs expose, etc. Plus it checked for common application directories (wp-content, etc):


GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET / HTTP/1.0 200
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /sitemap.gz HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET / HTTP/1.0 200
GET /server-info HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET / HTTP/1.0 200
GET /robots.txt HTTP/1.1 404
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET / HTTP/1.1 200
GET /wp-content/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /logfiles/ HTTP/1.1 404
GET / HTTP/1.1 200
GET /index.php.BAK HTTP/1.0 404
PUT /jsky_test.txt HTTP/1.1 405
GET /index.php.zip HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /sitemap.gz HTTP/1.1 404
GET /index.php.BAK HTTP/1.0 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /index.php.zip HTTP/1.0 404
GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET /rss.xml HTTP/1.1 302
GET /index.php.ZIP HTTP/1.0 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /index.php.tar.gz HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /index.php.temp HTTP/1.0 404
GET /server-info HTTP/1.1 404
GET /wp-content/ HTTP/1.1 404
GET /logfiles/ HTTP/1.1 404
GET /index.php.save HTTP/1.0 404
GET /main.css HTTP/1.1 200
GET /index.php.backup HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.orig HTTP/1.0 404
GET /log/ HTTP/1.1 404
GET /index.php~ HTTP/1.0 404
GET /data/ HTTP/1.1 404
GET /logs/ HTTP/1.1 404
GET /index.php~1 HTTP/1.0 404
GET /index.php.cs HTTP/1.0 404
GET /datas/ HTTP/1.1 404
GET /?page=home HTTP/1.1 200
GET /index.php.java HTTP/1.0 404
GET /example/ HTTP/1.1 404
GET /index.php.class HTTP/1.0 404
GET /examples/ HTTP/1.1 404
GET /index.php.rar HTTP/1.0 404
GET /upload/ HTTP/1.1 404
GET /WebService/ HTTP/1.1 404
GET /index.php.tmp HTTP/1.0 404
GET /inc/ HTTP/1.1 404
GET /include/ HTTP/1.1 404
GET /old/ HTTP/1.1 404
GET /manage/ HTTP/1.1 404
GET /db/ HTTP/1.1 404
GET /aspnet/ HTTP/1.1 404
GET /htdocs/ HTTP/1.1 404
GET /conf/ HTTP/1.1 404
GET /config/ HTTP/1.1 404
GET /private/ HTTP/1.1 404
GET /admin/ HTTP/1.1 404
GET /administrator/ HTTP/1.1 404
GET /webadmin/ HTTP/1.1 404
GET /database/ HTTP/1.1 404
GET /samples/ HTTP/1.1 404
GET /member/ HTTP/1.1 404
GET /members/ HTTP/1.1 404
GET /pass.txt HTTP/1.1 404
GET /passwd HTTP/1.1 404
GET /users.txt HTTP/1.1 404
GET /users.ini HTTP/1.1 404
GET /install.log HTTP/1.1 403
GET /database.inc HTTP/1.1 404
GET /.bash_history HTTP/1.1 404
GET /.bashrc HTTP/1.1 404
GET /Web.config HTTP/1.1 404
GET /Global.asax HTTP/1.1 404
GET /Global.asa HTTP/1.1 404
GET /Global.asax.cs HTTP/1.1 404
GET /test.asp HTTP/1.1 404
GET /test.php HTTP/1.1 404
GET /test.jsp HTTP/1.1 404
GET /test.aspx HTTP/1.1 404
GET /admin.asp HTTP/1.1 404
GET /data.mdb HTTP/1.1 404

After that, they detected my page structure and tried a few SQL injections, XSS and other attacks on them:

GET /index.php?page=scan&page;=scan?scan=88888 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.html?page=home%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=homealert(42873) HTTP/1.1 404
GET /index.html?page=home%2527 HTTP/1.0 404
GET /?page=docs&title;=daily HTTP/1.1 200
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%5C' HTTP/1.0 404
GET /index.html?page=home%5C%22 HTTP/1.0 404
GET /index.html?page=homeJyI%3D HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home%bf%27 HTTP/1.0 404
GET /?page=practical&pid;=13 HTTP/1.1 200
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home/ HTTP/1.0 404
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home%20and%205=6 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

They also found another page inside (the daily tips) and tried more attacks:

GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%2527 HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=dail
y%5C' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%5C%22 HTTP/1.0 404
GET /index.html?page=docs&title;=dailyJyI%3D HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%bf%27 HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily/ HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=practical&pid;=13alert(42873) HTTP/1.1 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%2527 HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13JyI%3D HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%bf%27 HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13/ HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

And that was the whole scan. The only issue they found was that we allowed the TRACE method, but I think they did a good job looking for different types of vulnerabilities.

8 comments

Black says:
January 9, 2010 at 10:42 am
I concur! Their machine is VERY intrusive. My 404's shot up to around 154 MB's. Of course, I know that about 20 MB's of them 404's was due to trial and errors of "every one else".
Rasmus says:
January 9, 2010 at 12:44 pm
Some of those requests seem quite broken if they were logged correctly:
GET /index.php?page=scan&page;=scan?scan=88888
What's with the double ? there?
napolebsis says:
January 9, 2010 at 1:58 pm
Hy, do you probably have an invite code left for me? Searched the web for nearly an hour or so but didn't find one which worked.. Would be fantastic!
Thanks in advance! 🙂
dd@sucuri.net says:
January 9, 2010 at 2:09 pm
Rasmus: Yes, those are posted exactly how they were executed…
napolebsis: try: d560e07a3b8aac06 it is the last one I have left…
Borys Łącki says:
January 10, 2010 at 6:58 pm
Maybe this double check is – HTTP PARAMETER POLLUTION test…
MTL-Services says:
January 11, 2010 at 5:51 pm
Hey there,
does anyone have an invite code left? All codes I found on the internet were already used.
Thanks for your help!
Junior says:
January 12, 2010 at 3:06 pm
Anyone know how to get the codes or have any left?
Help…
Thanks you.
Marc Ruef says:
January 22, 2010 at 1:52 am
Hello,
Nice technical analysis, I like it!
Today, I have published another review in our labs blog. Unfortunately, it is on German only ;( !
http://www.scip.ch/?labs.20100122
Regards,
Marc