As we have looked closer at the web security company SiteLock a reoccurring theme has been finding that their services are actually provided by others and that they don’t disclose the true source (in some cases they make claims that would reasonable lead you to believe they are in fact provided by them directly). That can have some pretty serious implications. For example, we found that their content data network (CDN) and web application firewall (WAF) are actually provided by another company, Incapsula. As both of those services involve sending your website’s traffic through the provider’s systems, not knowing the true provider of the service means you don’t actually know who has access to all of that traffic. In another case we found that due to SiteLock’s lack of understanding of WordPress security they were (and maybe still are) incorrectly using third-party data on WordPress vulnerabilities to falsely claim that websites are insecure. It also does more to undercut their claim to be the “global leader” in website security.
Back in September we discussed that while SiteLock’s vulnerability scanner is frequently promoted by their web hosting partners there didn’t appear to be any evidence that the vulnerability scanner was actually effective in finding vulnerabilities on websites. Recently we ran across a thread on the WordPress Support Forum from earlier this year about an instance where their scanner had claimed to find a couple of potential SQL injection vulnerabilities in the WordPress portion of a website.
Without having access to the website’s files as of the time the scan was done we can’t tell if these were false positives or not, but unless the website contained plugins that were changing the normal way the relevant files were operating, the results would have involved falsely labeling the core WordPress software as having vulnerabilities.
We were curious to see if we could find other examples of SiteLocks’s vulnerability scanner results and so we did a Google search for “The following resources may be vulnerable to blind SQL injection”, which is phrasing used in their message mentioned in that thread.
One thing that is pulled up was more indication that the scanning isn’t very good, as it was taking Joomla simply returning a different result when malicious code was added to URL parameters with their being a potential prone to SQL injection. The crude level of their scanning might provide some useful information for an experienced developer or a security professional, but for the average webmaster it is likely lead to a lot of unneeded confusion.
More interesting was something else that it showed. Here is how one SiteLock’s results began:
Using the GET HTTP method, SiteLock found that :
+ The following resources may be vulnerable to blind SQL injection :
+ The ‘rp_subject’ parameter of the /index.php/index.php/help/suggestion-about-website CGI :
The Google search results also pulled up result from the Nessus vulnerability scanner, that look like this:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection (time based) :
+ The ‘LinkedGroup’ parameter of the /cgi-bin/vendx/forgotpasswd.cgi CGI :
Other than specifics of each potential vulnerability the only difference between those to is the Company name and the phrase of “(time based)” in the Nessus message.
So pretty clearly SiteLock’s vulnerability scanner at least in part involves them running Nessus over websites. Not surprisingly, based on the other examples, they don’t disclose that fact. The page for the service makes no mention of it involving a Nessus scan and a Google site search shows no mention of Nessus at all on their website. Considering that Nessus doesn’t really seem like a tool designed for end user as it is promoted by SiteLock’s web host partners (which also are in some instances run by SiteLock’s owners), it doesn’t seem like a good fit for the service.
What isn’t clear if the vulnerability scanning involves anything more than a Nessus scan. If you have any more information on the vulnerability scanner please leave a comment on the post.
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.