Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: pand0ra <pand0ra.usa () gmail com>
Date: Wed, 4 Oct 2006 17:30:59 -0600
"You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so." Ethically, that is bad. You should never force (or threaten) anyone into doing something they don't want to. I agree completely with Jay and Dan. Joseph, 1. Never test a system unless you have written authorization (also known as the "get out of jail free" card). Period. 2. I know it is your responsability to teach your students how to identify an attack but you also have to show them what is ethical as well. By teaching them to attack another company's web application without permission is promoting behavior that could land your students in jail. What happens after the student is arrested when they tell the media that they learned how to do what they did in your class? 3. It's good that you notified the newspaper of the problem but you should not have been there in the first place. The suggestion for using hackme bank is perfect and won't land you in prison/jail/fines. On 10/4/06, Andreas Putzo <putzoa () gmx de> wrote:
On Oct 04, Joseph McCray wrote: > Usually when we do this we only find a few simple things (XXS for > example) - no big deal right. With this particular website we just kept > finding another, after another and on and on. Over 600 instances of XXS, > over 200 SQL Injection - this was bad. After a while it started to get > boring there was so many.... > > So I drafted a letter to the editor as well as several other prominent > people at the newspaper. It detailed my finding and recommended some > possible mitigation strategies. After emailing this I didn't hear > anything for a few days, so I emailed it again and followed up with a > phone call. After getting no response to the second email and then > having been bounced around from department to department when I called I > just said forget it. You can try to set them an ultimatum pretending to disclose the holes to the public. Perhaps they are more willing to react if they are forced to do so. Depending on the information you can get through the website (customer data anywhere?) and the laws in your country (IANAL, btw.) you may go to the intrigued publicity, indeed. They gotta have to do something if someone defaced their website actually. -- regards, Andreas Putzo ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- <Possible follow-ups>
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)