PCI Smackdown: Looking Forward
I've been publishing a lot of holes in security companies' websites, and more are coming next week. While I'll continue to point out these flaws, I'm hoping that we can turn these disclosures into industrywide changes.
I know I've pissed some people off. I'm pretty sure McAfee isn't going to be giving me much love in the future. I personally think that too much attention has been paid to them in particular. Though their official response was pretty lame and not entirely true, they definitely aren't the worst offenders. I must admit, however, if it hadn't been for that issue making big headlines, I don't think as many people would be listening to me now.
At this point, I want to issue an industry-wide challenge- any ASV wants me to evaluate their PCI scanning service need only contact me. I will perform rigorous tests, find whatever issues I can, and publish them in brutally honest fashion. I will provide recommendations to the vendors on how to improve the services, and if I'm impressed with them, I will certainly make that known publicly as well. I will give credit where it is due, but I will happily call you out if you've done something stupid. I have no love or hate for any PCI companies outside my own experiences, and I have no agenda beyond improving the industry.
Do I expect any vendors to take me up on this challenge? No. I am skeptical by nature, but I would love to have somebody take the lead and prove me wrong.
I'm out for the weekend, but I'll leave you with one last batch of screenshots. These are error messages from a handful more PCI ASVs, none of which are critical security issues, but all of which disclose information about the internal workings, directory structure, or configuration of their respective applications. As before, all of these would be found with a simple website audit.
An SQL error in ControlScan's trustmark validation script
Counterpane CGI Error with file path disclosure
Thanks to Russ McRee for this one
onestoppciscan.com Error Page
secureconnect.com ASP errors with stack trace
Symantec included file manipulation and file path disclosure
This script actually throws about half a dozen different errors, depending on how you manipulate it
I know I've pissed some people off. I'm pretty sure McAfee isn't going to be giving me much love in the future. I personally think that too much attention has been paid to them in particular. Though their official response was pretty lame and not entirely true, they definitely aren't the worst offenders. I must admit, however, if it hadn't been for that issue making big headlines, I don't think as many people would be listening to me now.
At this point, I want to issue an industry-wide challenge- any ASV wants me to evaluate their PCI scanning service need only contact me. I will perform rigorous tests, find whatever issues I can, and publish them in brutally honest fashion. I will provide recommendations to the vendors on how to improve the services, and if I'm impressed with them, I will certainly make that known publicly as well. I will give credit where it is due, but I will happily call you out if you've done something stupid. I have no love or hate for any PCI companies outside my own experiences, and I have no agenda beyond improving the industry.
Do I expect any vendors to take me up on this challenge? No. I am skeptical by nature, but I would love to have somebody take the lead and prove me wrong.
I'm out for the weekend, but I'll leave you with one last batch of screenshots. These are error messages from a handful more PCI ASVs, none of which are critical security issues, but all of which disclose information about the internal workings, directory structure, or configuration of their respective applications. As before, all of these would be found with a simple website audit.
An SQL error in ControlScan's trustmark validation script
Counterpane CGI Error with file path disclosure
Thanks to Russ McRee for this one
onestoppciscan.com Error Page
secureconnect.com ASP errors with stack trace
Symantec included file manipulation and file path disclosure
This script actually throws about half a dozen different errors, depending on how you manipulate it
Labels: PCI Smackdown, PCI-DSS, Web Applications
posted by mckt at
7:31 AM
|
0 Comments
