Todays story of “You’re lying, we weren’t vulnerable” comes from Acutenix. Copy pasted from their “about us” page, this is how they describe themselves:
Acunetix was founded with [web application threats] in mind. We realised the only way to combat web site hacking was to develop an automated tool that could help companies scan their web applications for vulnerabilities. In July 2005, Acunetix Web Vulnerability Scanner was released – a tool that crawls the website for vulnerabilities to SQL injection, cross site scripting and other web attacks before hackers do.
I suppose I should give some background info about everything before laying it into Acunetix too much.
A long standing thread going on in the sla.ckers forums has been busy posting XSS flaws of major companies. One of the many companies in this list is the aforementioned Acunetix. This thread was linked to by darkreading (who themselves have several XSS holes) and later by slashdot. A few days later Kelly Higgins, the author of the article on darkreading.com emailed me asking for some info for a followup story she wanted to write. Here’s the relevant parts of that email:
Acutenix says it has no vulns on its site at all
And here’s what Kelly posted in her follow up story:
Tamara Borg, Acutenix’s marketing director, says the company has no XSS or other vulnerabilities on its site. “We are developers of a Web application security software tool which detects such vulnerabilities,” she says. “Our Website is scanned on a daily basis to ensure that no such vulnerabilities exist.”
Well… since I hadn’t posted the original flaw and hadn’t either tested it I couldn’t be 100% sure that it had existed, which is what I said. I decided to also PM the person who had posted the flaw on the sla.ckers forum. He confirmed that the XSS flaw had worked but had been fixed. For good measure 2 more XSS holes were found on their site. Both those have been fixed, but a screenshot was taken while the flaw existed, which can be found here:
I don’t know if they still want to deny they have XSS flaws, but we now have screenshots that says they certainly have had bugs.
I suppose it’s typical of marketing people to deny any problems and try to sweep it under the carpet, but this tactic cannot be good for the companies reputation. As someone close to the issue let me know, Acunitex should firstly thank sla.ckers.org, then fix the issue and finally improve their products so they can find these flaws. That may restore some faith in the company.
As was very eloquently put:
We all make mistakes, the web developers at acunetix too, no worries. But that barefaced talk from their press is not acceptable. They should not fool people if they need them (or their money:).