Re: posting xss notifications in sites vs software packages

[Luis Santana <hacktalkblog () gmail com>]

Typically if you are in the US, are testing a server in the US owned by a
company headquartered in the US it is legal to find Reflective XSS so long
as you don't crash any services. Crashing any services can be seen as a DoS
attack and then you are screwed. Moreover if you crash a service and cost
the company more than 5k USD then you have a risk of the FBI trying you for
cybercrime.


*I DO NOT CONDONE TESTING SITES YOU DON'T HAVE PERMISSION TO TEST*


On Wed, Feb 8, 2012 at 9:23 PM, <Valdis.Kletnieks () vt edu> wrote:

> On Wed, 08 Feb 2012 17:30:18 +0100, Info said:
> > A general question: is it legal to search for XSS vulnerabilities on
> > custom websites ?
>
> Yes. No. Maybe. Depends where you live, where the web server is physically
> located, and where the corporate headquarters are.  In the US, the law you
> need to worry about most is 18 USC 1030:
>
>
> http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
>
> "... having knowingly accessed a computer without authorization or
> exceeding
> authorized access, and by means of such conduct having obtained
> information..."
>
> It's going to come down to whether the jury believes the prosecutor's
> version
> or your version of what "exceeding authorized access" means - which is why
> professional pen testers make sure they get a "Get Out Of Jail Free" card,
> and
> negotiate rules of engagement (what's allowed, what's not) as part of the
> contract.  You amature pen testers are on your own. ;)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/