[Klathmon]

I absolutely hate these kinds of "security" scans.

I once worked with a company that started using one of these. They said our "vulnerability scores" were significantly too high.

I looked at the report, turns out they were just looking at HTTP headers and throwing up every CVE that matched any version numbers they found. (One of the "worst offenders" on the system was a CVE about a vulnerability in PHP when using "magic quotes", a part of PHP that hadn't been used in many years, and our application never used)

We were officially instructed that the fix would be to hide the PHP and apache version numbers from the headers.

If I were the one running that scan, and someone "fixed" the problem by just hiding the version numbers, I'd be calling for that person to be fired for trying to hide the problem. But here they were instructing us to do just that. And once we did, the system was marked "secure"...

[dasil003]

As annoying as that sort of ignorance is, I would say it's marginally better than the opposite attitude that security scanners are bullshit and therefore unnecessary. The fact is, scanners turn up real issues that slip through whatever manual patching process you have set up.

My feeling is similar to when I started unit testing aggressively a decade ago: it seems like this should be unnecessary, but every time I do it it never fails to pay dividends.

[styfle]

There was a fund raising website written 15 years ago that a team I was on was responsible for (I never actually worked on it).

There were fraudulent credit card donations for $1 which became really obvious when the zip code was garbage.

The “solution” was to disabled the credit card page until the month of the fund raising event when it was enabled again in hopes of the scammers would not try during that month.

[CapacitorSet]

I don't understand, what were the scammers trying to achieve?

[mr_toad]

Trying to validate stolen or generated credit card numbers.

[jacquesm]

That's not always what is going on. In some cases unscrupulous operators will run through large numbers of $1 transactions in order to lower their chargeback rate.

[nicksantamaria]

This sounds interesting - can you explain further?

[jacquesm]

Chargebacks have a cap, if you go over that cap you get fined or lose your merchant account. So in order to dilute the pool they'll make a lot of low $ amount charges usually masquerading as some charity, those will have very low charge back rates so the average charge back %age will drop.

[megaman22]

Maybe hoping there was an affirmative response if the card did go through?

[rhizome]

In this context it may have been BS, but in general it's a good idea to reduce the attack surface of the entire platform.