Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Wed, 4 Oct 2006 14:31:02 -0500
Joe,
Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to
approach certain types of websites. A common subject is how to handle
large website with tons of dymanic content - so
the class chose a major newspaper's website for the discussion.
Do you normally perform security assessments or pentests against networks that do not give you permission to do so?
Usually when we do this we only find a few simple things (XXS for example) - no big deal right. With this particular website we just kept
finding another, after another and on and on.
Over 600 instances of XXS, over 200 SQL Injection - this was bad.
After a while it started to get boring there was so
many....
So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding
and recommended some possible mitigation strategies. After emailing
this I didn't hear anything for a few days, so I
emailed it again and followed up with a phone call. After getting no
response to the second email and then having been
bounced around from department to department when I called I just said
forget it.
Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past >have been quite receptive - I'm just curious if other people have gone through this as well. I think I can speak for most people on the list saying - it sounds like what your doing is unacceptable and unprofessional. If you stumble across vulnerabilities you should report them, but please don't have an entire class of individuals testing someone's web application without being granted permission to do so. The newspaper is probably gathering their legal team for a formal response and possible legal action against you at this very moment. In fact , they probably found this archive of admission logged on the internet and collected it for their evidence :P -Daniel Clemens ----------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)