Chorizo security scanner

(Originally I wanted to tweet this, but it grew far longer than 140 characters.)

I tried a free version of Chorizo security scanner. It’s one of those tools that should make secure web applications much easier.

I liked the idea of the proxy setup.  Instead of downloading any software or scanning a web site generating lots of extra traffic, it works in a proxy mode.  You configure a proxy server in your browser, add the domain to Chorizo profile, verify the domain by uploading a signature file to the server, and then simply browse around.  There are a couple of nice windows hanging around, showing you things, etc.  It even works in Konqueror…

What I didn’t like that the scanner didn’t find any problems with an obviously problematic web site.  I can easily do SQL injections on the pages that I browsed and I am sure cross-site scripting isn’t any more difficult.  Yet, the scanner showed “0 vulnerabilities found” message.

There is also a commercial offering of the service, where you can add more than one domain and have some advanced reports and stuff.  But, I don’t feel like paying a couple of hundred EUR per year for something that didn’t find obvious problems.

Maybe they are a new service or have some temporary problems. Maybe I’ll give them another try some time later.  But for now the answer is  a definite “No”.  Pity.

Leave a Comment