Full Disclosure mailing list archives
Re: posting xss notifications in sites vs software packages
From: Luis Santana <hacktalkblog () gmail com>
Date: Thu, 9 Feb 2012 00:05:28 -0500
Typically if you are in the US, are testing a server in the US owned by a company headquartered in the US it is legal to find Reflective XSS so long as you don't crash any services. Crashing any services can be seen as a DoS attack and then you are screwed. Moreover if you crash a service and cost the company more than 5k USD then you have a risk of the FBI trying you for cybercrime. *I DO NOT CONDONE TESTING SITES YOU DON'T HAVE PERMISSION TO TEST* On Wed, Feb 8, 2012 at 9:23 PM, <Valdis.Kletnieks () vt edu> wrote:
On Wed, 08 Feb 2012 17:30:18 +0100, Info said:A general question: is it legal to search for XSS vulnerabilities on custom websites ?Yes. No. Maybe. Depends where you live, where the web server is physically located, and where the corporate headquarters are. In the US, the law you need to worry about most is 18 USC 1030: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html "... having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information..." It's going to come down to whether the jury believes the prosecutor's version or your version of what "exceeding authorized access" means - which is why professional pen testers make sure they get a "Get Out Of Jail Free" card, and negotiate rules of engagement (what's allowed, what's not) as part of the contract. You amature pen testers are on your own. ;) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- posting xss notifications in sites vs software packages b (Feb 08)
- Re: posting xss notifications in sites vs software packages Luis Santana (Feb 08)
- Re: posting xss notifications in sites vs software packages Packet Storm (Feb 08)
- Re: posting xss notifications in sites vs software packages Info (Feb 08)
- Re: posting xss notifications in sites vs software packages Valdis . Kletnieks (Feb 08)
- Re: posting xss notifications in sites vs software packages Luis Santana (Feb 08)
- Re: posting xss notifications in sites vs software packages Info (Feb 10)
- Re: posting xss notifications in sites vs software packages Info (Feb 08)
- Re: posting xss notifications in sites vs software packages Greg Knaddison (Feb 08)