Morning All

I work for a company who's website has been analysed by a outside company, the outside company did it off there own back and have said that my companies website is 'writable'.
I have checked the permissions and setup and can see nothing wrong, However I would like to check.

The site sits on a windows 2003 server, IIS 6, and is ASP coded.

How would I check to see if it is 'writable' from the web?... IE: Does anyone know of a script or a process to run against the site?

Many Thanks
Steve

Hi

Thank you for the quick reply... The outside company will tell us, however a few thousand pounds will have to change hands before they do!!.. Hence the asking on here first..

I have checked the dirs, and there are no user upload dirs.

Thanks
Steve

"Writable" is a pretty generic term and can be interpreted many different ways.  They could be referring to directories, or "writing" to your SQL DB if you have one, it may also be a file injection vuln.

What bothers me most is your comment that they did it "off their own back"... They way you originally wrote that, it seems to me that this "company" did a pen test on your site without your permission, knowledge or consent.  True?

If true, they found an issue, and are now saying "we found something on your site, but we won't tell you until you pay us something."  True again?

If true again, this would be known as extortion (maybe something lesser, but extortion is such a sexy word).  At this point, you might want to get some legal people involved.  If whoever this is had wholesome pure intentions, they'd tell you want the problem was and not demand money.  If they pen tested your site without consent, you should have full legal precedence to go after them.  You might want to start collecting logs ASAFP in case you wind up in the middle of some legal action.  (of course, this doesn't solve your issue of finding out what the flaw is.  you may get that information from legal proceedings, or you may have to hire a legit pen tester to find it for you.  Or, you could just shell out the dough to whoever this is, but they may also be scamming you.  You pay them, then you never hear from them again, or they send you on a goose chase, and they get a nice pay day.)

If this is a company you hired to perform a pen test, a full report, including technical details on any flaws should be part of the package.  If you have to pay extra for data... you need someone that writes better engagement contracts. 

So another word, they hack your company website without your consent. And blackmail to your company to hand over a big lump sum of money, otherwise they will refuse to disclose to you the finding of the test (hack).

I think your company should call the Police.

@dreams3577 I realize that your original question is how to tell whether your website is"writable." I agree with the others that the entire situation is phishy (pun fully intended).   Certain versions of IIS are vulnerable to having pages dumped into the root directory. I don't remember all the details, but if your IIS is configured to use index.htm (or index.html or default.htm or default.asp etc) as one of its preferred default pages, BUT any of those pages does not exist on the site, it is vulnerable to having someone dump their "you have been hacked" page into your IIS site. Which means someone goes to www.yoursite.com and sees "you have been hacekd" instead of "welcome to yoursite."

The solution to this is, best I understand, to clean up the default page settings from within IIS. In server 2003, open IIS manager, right click your website name, choose Properties and go to the documents tab.

HTH.

I believe and remember, there are different level of service and based on that they provide report, it should be provided in terms & conditions when undertaken the work by outsourced company. But it doesn't look fair not disclosing the information about vulnerability.
Mgmt should take action......

Word of advice: Try running a Nessus and / or NeXpose scan against your website, you will most likely get exactly the same results as the company that reported the "bug".

Often, it is just because IIS supports the PUT method or perhaps WebDAV, but that doesn't necessarily mean that it's actually exploitable, or something an attacker can use to his advantage. After all, the webserver may support the method, but may not allow it anywhere.

I would ask the target company to place a file on the server as proof of that it is "writeable". If they can't, it's not writeable as they say.