Full Disclosure mailing list archives

Re: posting xss notifications in sites vs software packages

From: Info <info () inshell net>
Date: Fri, 10 Feb 2012 11:21:28 +0100

Well....in Germany...our law regarding security in general is very, very
vague.

It basically says that you have to go to prison if you produce or
publish any information
and/or tools (for so-called "hacking-purposes") in preparation for a
criminal offense.
And: if you get unauthorized access to data which is specially secured
by evading the
security mechanisms.

But The European Expert Group for IT Security says that especially the
first part does not apply if you're dealing with information and tools
in a good-natured way using e.g. a detailed reporting or documentation.
So i think it's hard to say if looking for a custom website
vulnerability (and finally not using it for bad purposes) is
illegal...at least it depends on how the judge defines "criminal
offense" and interprets your behavior.

@Valdis:
Therefor: agree :)

Regards
Julien.


On 02/09/2012 03:23 AM, Valdis.Kletnieks () vt edu wrote:

On Wed, 08 Feb 2012 17:30:18 +0100, Info said:

A general question: is it legal to search for XSS vulnerabilities on
custom websites ?

Yes. No. Maybe. Depends where you live, where the web server is physically
located, and where the corporate headquarters are.  In the US, the law you
need to worry about most is 18 USC 1030:

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

"... having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information..."

It's going to come down to whether the jury believes the prosecutor's version
or your version of what "exceeding authorized access" means - which is why
professional pen testers make sure they get a "Get Out Of Jail Free" card, and
negotiate rules of engagement (what's allowed, what's not) as part of the
contract.  You amature pen testers are on your own. ;)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

posting xss notifications in sites vs software packages b (Feb 08)
- Re: posting xss notifications in sites vs software packages Luis Santana (Feb 08)
- Re: posting xss notifications in sites vs software packages Packet Storm (Feb 08)
  - Re: posting xss notifications in sites vs software packages Info (Feb 08)
    - Re: posting xss notifications in sites vs software packages Valdis . Kletnieks (Feb 08)
    - Re: posting xss notifications in sites vs software packages Luis Santana (Feb 08)
    - Re: posting xss notifications in sites vs software packages Info (Feb 10)
- Re: posting xss notifications in sites vs software packages Greg Knaddison (Feb 08)