Thanks for responding. There is a free scan, which shows almost everything you would get if you bought, minus the actionable information. More suggestions on how to sell/show information it are very welcome!
It shouldn't... I have scanned several hundred sites through Beta without any impact. Some blogs which are not well configured slow down (working to fix)
I was just joking, our site is fairly robust (if it crashes and burns it should come right back up). I just tried to purchase a paid scan, but your checkout was down. I'll try again later.
Ouch.. had to bounce Apache, but not sure what caused that... other sites on the same host have had a few thousand hits in a couple hours. Maybe more traffic than expected this morning
I just scanned my personal site. It came back saying 1 directory traversal problem and 1 interesting file, and that if I wanted to find out what they were, I'd have to pay. And good grief, there's a lot of text there.
To me, that just seems scammy. As in "click here for your free credit report... oh! We've found problems. Pay to see what they are!"
Looking through my web server logs I'm not quite sure what the problems are, or how you determined I had the problem. Did I maybe return an error message with a 200 status code instead of a 403 forbidden? I've got some redirects on my site, did you take the 301 as a bad sign?
Looks like you're using skipfish for the scanning engine?
Who is your target market? I could see companies using something like this to fill the box on PCI compliance, but would need a lot more control over the report (eg "get rid of that low category") and would need a lot more details about how the scan was performed in order to satisfy an auditor. People who just want to display a seal on their signup page will want something a lot more low key, and already have lower cost options.
Just to follow up on myself, I installed skipfish and ran it against my site in the easiest mode (./skipfish -W /dev/null -LV -o rpt http://example.com)
* I got the same two errors and they were completely benign. The directory traversal problem was just Wordpress returning some data. The "interesting file" was a blog post that had some SQL in it. I'm not sure if they're the same that you found. But if I would have paid for the scan and they turned out to be the same two errors, I would have been pretty angry.
* Skipfish came back with some actual interesting things like embedded scripts and forms without xsrf protection. The embedded scripts were ok (ad/tracking codes), but the forms would have been an interesting thing to note.
Thanks for the feedback! I have been considering alternate tactics, such as showing low/medium risk issues but not high risk, or just selling the free scan as a high level scan which doesn't complete any in depth testing.
Yes, I use skipfish for some tests, though I customized parts of it (it has an amazing web crawler). I also use proprietary scan technology, and plan to add a few more open source tools into the mix (such as port/service and virus scanning) in the not so distant future to create one combined risk/vulnerability report.
interesting file is typically a text file, unsecured htaccess file, or sometimes 500 error messages. If you tell me your site, I will check for you.
target market is small business, medium size business, or individual site owners - mostly those who don't maintain a full time IT security staff but want some visibility into their site risks. Eventually I may add PCI checks, but that is a huge compliance/paper cost which is tough for a one man shop to keep up with.
I just tried the site from my phone, and had a couple issues. First, the main report page is in flash, so I couldn't see it. That's not a big deal since I can look at the other links at the top of the page to see the results. But on these pages, the vulnerabilities are shown as a collapsed category. When I try to open them, they close back up immediately so I can't read them.
I have to admit I didn't test with mobile devices for launch, trying to get it out the door. What phone are you using? iPhone/Android/Windows? I'll work on the expand/collapse JavaScript for phones
Thanks, I'll have to fix that. Seems my scan queue has grown out of control since this morning, so I apologize the queue wait time is running at about 30 minutes now...
I like it, and it amused the more suspicious part of me to think that it might just be a way of gathering a database of vulnerable sites without having to put in the effort yourself.
On your "before you scan page", you might want to mention the possibility of a large number of emails, because it can come as a bit of a surprise.
And you might want to limit the number pages on an initial scan because big sites seem to take a hell of a lot longer to process (an I apologise right now for being a bottleneck). I concur with Marketer the possibility of emailed results would be a real benefit.
Is the monthly plan intended to cater to individual sites, or is it aimed at web designers who might be interested in scanning their creations for vulnerabilities? If web designers do feature at all they might appreciate some sort of test data they could print out and hand to clients as evidence of security.
28 comments
[ 3.4 ms ] story [ 62.9 ms ] thread(at myself)
http://i.imgur.com/Y6pXS.png
To me, that just seems scammy. As in "click here for your free credit report... oh! We've found problems. Pay to see what they are!"
Looking through my web server logs I'm not quite sure what the problems are, or how you determined I had the problem. Did I maybe return an error message with a 200 status code instead of a 403 forbidden? I've got some redirects on my site, did you take the 301 as a bad sign?
Looks like you're using skipfish for the scanning engine?
Who is your target market? I could see companies using something like this to fill the box on PCI compliance, but would need a lot more control over the report (eg "get rid of that low category") and would need a lot more details about how the scan was performed in order to satisfy an auditor. People who just want to display a seal on their signup page will want something a lot more low key, and already have lower cost options.
* I got the same two errors and they were completely benign. The directory traversal problem was just Wordpress returning some data. The "interesting file" was a blog post that had some SQL in it. I'm not sure if they're the same that you found. But if I would have paid for the scan and they turned out to be the same two errors, I would have been pretty angry.
* Skipfish came back with some actual interesting things like embedded scripts and forms without xsrf protection. The embedded scripts were ok (ad/tracking codes), but the forms would have been an interesting thing to note.
Yes, I use skipfish for some tests, though I customized parts of it (it has an amazing web crawler). I also use proprietary scan technology, and plan to add a few more open source tools into the mix (such as port/service and virus scanning) in the not so distant future to create one combined risk/vulnerability report.
interesting file is typically a text file, unsecured htaccess file, or sometimes 500 error messages. If you tell me your site, I will check for you.
target market is small business, medium size business, or individual site owners - mostly those who don't maintain a full time IT security staff but want some visibility into their site risks. Eventually I may add PCI checks, but that is a huge compliance/paper cost which is tough for a one man shop to keep up with.
otherwise, the site looked good.
I just got spammed with like 300 emails from your site.
Is that what its suppose to do?
note to self, add a queue list to scan page..
On your "before you scan page", you might want to mention the possibility of a large number of emails, because it can come as a bit of a surprise.
And you might want to limit the number pages on an initial scan because big sites seem to take a hell of a lot longer to process (an I apologise right now for being a bottleneck). I concur with Marketer the possibility of emailed results would be a real benefit.
Is the monthly plan intended to cater to individual sites, or is it aimed at web designers who might be interested in scanning their creations for vulnerabilities? If web designers do feature at all they might appreciate some sort of test data they could print out and hand to clients as evidence of security.