You are not logged in.

#1 30 Aug 2006 12:21

WarpNacelle
Lowter Dude
From: Washington State
Registered: 29 Sep 2005
Posts: 218
Message

Chorizo Scanner

Anyone familiar with or used this chorizo scanner site?

Looks like it might be pretty good.


Support bacteria - they're the only culture some people have.
Faith Based Theater Community...

Offline

 

#2 30 Aug 2006 12:24

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

I've yet to hear of this until now.  I'm also confused as to what this is actually checking?


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

#3 30 Aug 2006 12:54

Sebastian
Loco Lowter Member
Registered: 14 Mar 2005
Posts: 2268
Message

Re: Chorizo Scanner

Ethan wrote:

I've yet to hear of this until now.  I'm also confused as to what this is actually checking?

Scanning your applications for security issues inside your web applications. Without a fuss.

Offline

 

#4 30 Aug 2006 13:03

WarpNacelle
Lowter Dude
From: Washington State
Registered: 29 Sep 2005
Posts: 218
Message

Re: Chorizo Scanner

Yeah.

If you go to the "About" page and watch the second Flash demo it shows the security risks that it checks for.


Support bacteria - they're the only culture some people have.
Faith Based Theater Community...

Offline

 

#5 30 Aug 2006 13:19

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

Hmm.  I have one issue here.  I would not trust anyone with the ability to check my sites like this.  Since it is all done via proxy, they probably keep logs of this.  Then if someone happens to get their hands on this, it would be bad news.

It looks nice, but I just don't like the fact it is done via proxy.


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

#6 30 Aug 2006 14:42

Sebastian
Loco Lowter Member
Registered: 14 Mar 2005
Posts: 2268
Message

Re: Chorizo Scanner

If I would like to 'Scanning your applications for security issues inside your web applications' I would do so by a real anti-virus tool. Such as the Symantec ones'

Offline

 

#7 30 Aug 2006 15:50

WarpNacelle
Lowter Dude
From: Washington State
Registered: 29 Sep 2005
Posts: 218
Message

Re: Chorizo Scanner

Ethan wrote:

Hmm.  I have one issue here.  I would not trust anyone with the ability to check my sites like this.  Since it is all done via proxy, they probably keep logs of this.  Then if someone happens to get their hands on this, it would be bad news.

It looks nice, but I just don't like the fact it is done via proxy.

That's a good point to consider.

As vigilant as that site would be to protect themselves ... how much do you trust their efforts?

Enough or not enough?

Still, would be nice to run it once ....


Support bacteria - they're the only culture some people have.
Faith Based Theater Community...

Offline

 

#8 30 Aug 2006 17:23

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

I trust them, but the issue if somehow on accident those records got leaked or something.  This has been a huge issue lately, as we see AT&T, AOL, and even the Federal Student Loan service leaking data on accident.


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

#9 30 Aug 2006 17:34

WarpNacelle
Lowter Dude
From: Washington State
Registered: 29 Sep 2005
Posts: 218
Message

Re: Chorizo Scanner

For sure, for sure and since this is the into the guts of your website it could get messy were that ever to happen.

So instead - addslashes! smile


Support bacteria - they're the only culture some people have.
Faith Based Theater Community...

Offline

 

#10 31 Aug 2006 4:34

-=Hero Doug=-
Lowter Addict
Registered: 25 Jan 2005
Posts: 626
Message

Re: Chorizo Scanner

Why not just make a subdomain called something like scan.example.com without any information in the databases just for scanning purposes.

That way, as you develop the scan subdomain, you can test your app before making it live without risking any personal information leaks.

Offline

 

#11 31 Aug 2006 6:20

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

The information I wouldn't want leaked is that my website is vulnerable to XSS or something before I get a chance to fix it.


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

#12 31 Aug 2006 16:08

Tom
Loco Lowter Member
From: UK
Registered: 25 Jan 2005
Posts: 2503
Message  Website

Re: Chorizo Scanner

lowter vulernable to xss ethan ? wink


Meaning of life: we learn a bunch of stuff then we die.
http://www.thehardcorelife.com
http://blog.thehardcorelife.com

Offline

 

#13 31 Aug 2006 16:34

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

Nope.  I've done some testing on that to be sure.


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

#14 01 Sep 2006 4:24

-=Hero Doug=-
Lowter Addict
Registered: 25 Jan 2005
Posts: 626
Message

Re: Chorizo Scanner

But your site wouldn't be vulnerable to these leaks.

For instance, upload the next version of your site to a development subdomain, test it, and fix it. Then, re-launch your site with the updated version. Now your site isn't vulnerable to anything the scanner tests.

As you make changes to your development subdomain (Which is seperate from your actualy site), if there is a vulnerability, *and* it's leaked, it won't affect your site because it's the development subdomain that has this problem and not your live site.

Of course, I suppose you'd want to put these site's on seperate servers as an extra safe-guard.

Offline

 

#15 01 Sep 2006 6:02

Ethan
Lowter Staff
From: Minneapolis, MN
Registered: 20 Jan 2005
Posts: 6960
Message  Website

Re: Chorizo Scanner

But see, then the whole development process is a lot more complex.  It's easy enough to test for these vulnerabilities yourself, and get it fixed before it's uploaded anywhere online or seen by anything.

Could you imagine Google scanning pages for this? tongue


Ethan, Managing Director of Lowter
Blog | American Swedish Institute | Save the Internet

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson