Web Monitoring

    There are two pieces of news and you may choose which to begin with. The first one is a new version of the scanner, and the second one - scanner transition to a paid mode. Well, perhaps we should start with the latter.
    Paid mode includes the following. General report of scanning is only available free of charge. The number of Errors (XSS and SQL Injection) and Warnings (they should be treated with the same attention as the Errors starting with version 0.4.0) are provided. The size of the ZIP archive for scanning remained unchanged - up to 10Mb. You need to send SMS (price is symbolic) for one-time view the full report of scanning. The possibility of getting VIP status (for a day and 3-day scanning) is remained. You have to register and make payment via SMS or paypal. A system of referrals continues to operate. You will receive 1 day of VIP for each user. You should have no problems with your VIP status if you place your referral link on your site or forum. The referral link is in your account profile.  

    If you have already read our funny and absurd story you may have noticed that we didn’t mention any names. The heroes of the today’s  news, on the other hand, are probably well known to the whole world. Some Romanian hackers TinKode and Ne0h hacked the MySQL.com and Sun.com sites. Moreover, the hacking was performed by means of that very SQL Injection which our website is specifically meant to fight!
    Thanks to this vulnerability the hackers obtained a list of databases and table contents used by this source as well as the tables containing users’ info – their logins and passwords.
    Furthermore, already in January an XSS- vulnerability had already been discovered in the authoritative MySQL.com website, which made it possible to attack the site by using the cross-site scripting.

    In the past month the core of the scanner 0.3.0 has been upgraded to 0.3.3. In 0.3.1 and 0.3.2 versions only the core optimization was changed. In the 0.3.3 version some important changes have taken place. In the report interface, the name of the variable which makes the code vulnerable has been added. This is a big help in fixing the problem. The occurrence of Warning statuses is now reduced by 90%. To  remind, a Warning status is something that the scanner hasn’t been able to track down but could neither classify it as a safe code. The quantity and the relevance of detected vulnerabilities has increased by 10-20%.

Our scanner is very popular among site owners whose sites were made in CMS with an open code, which stands to reason. Once one of the owners of such a site used our services and when he found lots of vulnerabilities, somewhat indignant, he wrote about it in the forum of CMS developers. It would have made sense, if the developers had verified the accuracy of the comments, removed the vulnerabilities (we found over 700! XSS vulnerabilities and SQL injections) and thanked their clients for notifying them in a timely way. But CMS developers (whose names we will leave undisclosed) without even taking the trouble to check whether their client was right or not, came to the conclusion that no scanner can possibly find any vulnerabilities. We didn’t try to prove them wrong on the forum. But we feel sincerely sorry for such self-confident developers and even more for their trustful clients. This example was purely educational: don’t repeat his mistake, check your project. What do you have to lose? The scan takes 2 minutes. Maybe you will spend one more minute on opening a file with one of the detected vulnerabilities and verify whether the scanner has made an error or not. Check and see for yourself!