iiScan is a new on-line vulnerability scanner for websites. It is developed by a Chinese company called NOSEC Technologies [Note: I found the name funny for a company which develops a security solution]. What’s new with iiScan? It is based on a cloud-computing!
The service is free but you have to register before being authorized to scan websites. The registration procedure is simple but requires an invitation code. Is it temporary or definitive? I don’t know. Invitation codes are quite easy to find on Twitter or security mailing lists. Every new registered user get five invitations to redistribute to friends.
Once logged in, the management interface is very simple. Three menus are available on the left:
- Task Management – To create new tasks (scans) and manage them.
- Domain Management – To manage your websites (called here “domains”).
- User Management – To manage your account and invitations.
The procedure to scan a website is very simple. Step one, create the new domain (basically the URL you would like to scan). HTTP & HTTPS protocols are supported but I read posts on mailing lists which report some problems with HTTPS. To complete the domain creation, a file called “test.txt” must be created in the root of your website. It must contains the hash code generated by iiScan. This is a protection to prevent abuses of the service (like pen-tests or flooding other sites).
Once the domain created, the second step is to create a new task. Here we can specify which type(s) of tests to conduct against the website:
- Blind SQL Injection
- Dir bruteforce
- File Check
- SQL Injection
Finally the defined task can be managed in the last step: To start or to stop a scan, to check its status and to display the final results. Reports are available in HTML or PDF formats.
The interface has lot of translation problems. Often, Chinese characters are mixed with English words. In the reports, overviews are given in English but the details remain in Chinese (even if the visitor language can be selected at the bottom of the screen). I filled a bug report to report this but still no feedback after two days.
But what about the quality of the scans? I executed two scan against personal websites. In the first one, a real problem was found (a file was still available after a software upgrade). The second scan gave bad results. Why? For every non-existing file (HTTP 404 error), the website redirected to the home page. This caused loops and I canceled the scan after 14 hours! Otherwise, except the unavoidable false positive errors, the scanner did its job quite well. Note that the scanner does not send requests in burst to not be too intrusive and uses a specific user-agent (“Mozilla/4.0 (
compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0“). This can be useful to review your logs and analyze the HTTP request generated by the scanner. The iiScan website maintains statistics for your own scans but also global statistics:
To conclude, iiScan is a nice tool for webmasters who would like to test their websites. For the other who need to conduct more targeted attacks, the classic tools remain mandatory!