What vulnerabilities do you scan for?

We scan for the most common vulnerabilities that most hackers would attempt to find and exploit, and we do some sanity-checking for you as well; we're also constantly writing new modules to improve our accuracy and thoroughness. We use a mixture of open source tools stitched together along with some custom tools we've written. Specifically, we crawl your site, much like a search engine would, but instead of looking for and parsing text/HTML, we look for vulnerabilities we might be able to find in your cookies, all your forms, all your links; basically anywhere we can input data, we will.

We look for SQL injection (using a number of methods; rdiff analysis, timing analysis, and just straight fuzzing), XSS (Cross Site Scripting / HTML Injection, again using a number of methods), CSRF (Cross Site Request Forgery), OS command injection, unvalidated redirects, LDAP injection, XPath injection, other code injection, HTTP Response Splitting, XST (Cross Site Tracing), path traversal, remote file inclusion, and a bunch more, including (but not limited to) all of the vulnerabilities on the OWASP Top Ten list.

As for the sanity checking: we look for interesting server responses (usually these are purely informational, but occasionally knowing that a page is throwing a 500 error or redirecting you with a 320 is useful), common directories, common backdoors, common files (including backup files), unencrypted password forms (those not sent over HTTPS), etc. We also crawl for any instances we can find of disclosed information (often used for spamming or social engineering attacks). Some of the things we look for are instances of social security numbers, email addresses, private IPs, cvs or svn users, credit card numbers, etc. If we can find it, so can someone else. ;)

Those are most of the technical details. If you want more info on any of it feel free to email us at support@tinfoilsecurity.com. Realistically though, we're trying to abstract most of that away from our customers and provide them with a simple and easy-to-use interface so that they can get on with the thing they enjoy most and are best at: building their product. While you code, we'll monitor, and let you know if anything changes for the worse. :)

Still need help? Contact Us Contact Us