Vulnerability statistics for 2012
Dear users of Find-XSS.net! In this section we offer you to get acquainted with the statistics obtained by scanning our clients’ projects.
Note: we present data for the last two years below.
The question of trust: a Find-Compromise scanner client
Are you afraid to download the source code in the scanner? We understand you but now you should not worry about it. We have developed a client part of scanner. It works in Java. So if you have not installed the Java virtual machine yet, it’s the time to do it. A Find-Compromise Client will analyze your project on your computer and create a file. The file will have pieces of code which require additional testing, by the server part of the scanner now. After downloading of this file the scanner will give the report. So you will not have to worry about your project, and we - for exclusivity of our product.
The first stable version of 1.0.0 Scanner
A service passed beta testing and switched to the operating mode. And we can surely say that 9 of 10 vulnerabilities found by it exist! This figure is higher than that of any other vulnerability of PHP code scanner. The number of found vulnerabilities is also higher than that of any other PHP code scanner as well as input selection options scanner. The only requirement for scanning is to download the archive which includes all the functions used in the scanned files. The scanner interprets any functions which are not described in a downloadable archive as dangerous. That can cause errors in the report.
A new version of the scanner 0.6.0, what’s new?
The scanner checks the input data received from the user and analyzes their behavior in the code. The analysis of all functions to determine degree of danger or safety which is used in further analysis of the code is produced. Therefore it is very important not to download separate modules (since they use the functions that are described elsewhere), but the entire site (project) as a whole. Otherwise, scan report may be erroneous. In version 0.6.0 the hidden code generated by the function base64_encode and used in conjunction eval (base64_decode ()); is analyzed. This is an example below:
The simplest code that an attacker can keep in a template or in some module is as follows:
eval (base64_decode ("JF9HRVRbJ3Rlc3QnXQ =="));
Find-Online service button, the number of users online
Service displays the number of users on your site for the last 15 minutes. It does not require complex setup; you only need to copy the code given below the page of your site. The account of users even with disabled JavaScript is produced. Any load does not bear on your site, our server does everything. By clicking the button you will get to a page that displays all IP users who are currently online on your site, as well as their country.
Comprehensive protection of site by find-xss.net tools
Currently we can provide four utilities for finding vulnerabilities, as well as scanner of PHP code for XSS, SQL injection and other vulnerabilities.
This is a list of utilities:
Find-Date - searching shells filled to site by an attacker.
Find-Port - checking open ports.
Find-Info - utility for checking folders and files rights.
Find-Error - mass files checking for syntax errors.
Each of the utilities makes not big but important contribution to the detection of errors and vulnerabilities. It is recommended to use each of them. The more so that they are easy to use and do not require much time or great knowledge.
A new version of 0.5.0 scanner and how to use it
As it was promised earlier, the status of Warning as well as the status of Error is abolished in a new version of a scanner. Scan report in the new version has changed a lot. Now the report specifies three types of vulnerabilities: XSS, SQL injection and Active script (other vulnerabilities). Scan report in previous versions of the scanner put some in a deadlock, especially vulnerability to the status of Warning. In the new version of scanner everything is done to simplify the understanding of the logic on which the scanner has found a particular vulnerability. The report shows the key lines of code side by side with the vulnerability line. Therefore, we can trace all the chain the scanner used in the analysis. Unsafe option is released in red in the report. For non-experienced website owners, when you hover the mouse on a line with a vulnerability, the prompt with the way to remove appears.
Статусы Error и Warning в версии 0.4.7
Уважаемые пользователи Find-XSS.net, обращаем Ваше внимание на то, что с совершенствованием алгоритма XSS-сканера постепенно изменяется и смысл присваиваемых им статусов. Так, в начальных версиях сканера присутствовал статус Notice, предупреждавший пользователя о существовании возможной опасности. Несмотря на тот факт, что 50% случаев этим предупреждением можно было пренебречь, в последующих версиях сканер стал отслеживать все, что касалось этого статуса. Поэтому мы приняли решение упразднить Notice, оставив только статусы Error и Warning. В предлагаемой Вам обновленной версии (0.4.7) сканера и статус Error, и статус Warning означают наличие уязвимости. Разница между ними заключается лишь в том, что статус Error определяет конкретный тип уязвимости: XSS, SQL injection или же какой-нибудь другой активный код; а статус Warning означает, что во время проверки сканер обнаружил уязвимость SQL injection или XSS в теле функции, и Вам нужно проверить как параметры, получаемые этой функцией, в указанной строке кода, так и их использование в теле функции.