Penetration Testing mailing list archives
Re[4]: Informing Companies about security vulnerabilities...
From: "Matthew Leeds" <mleeds () theleeds net>
Date: Fri, 06 Oct 2006 09:11:54 -0700
I'm on a mailing list from a publishing company. They send out HTML formatted email, I use a POP client that can be toggled to not render HTML. Consequently I get something that looks like this: ==========snip============== Adobe Adds Blogging to Contribute 4 <http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335> Adobe Systems Incorporated has announced the immediate availability of Adobe Contribute 4 software, a new version of its web publishing solution designed for business, education, and government workers to contribute content to the web without having to learn HTML. [ http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335] [ Back to Contents...] ==========snip============== Now, clicking on the first link works correctly, however the second renders interesting results. Would my clicking on the second link be considered a trespass? A pen test? The form of the link is an artifact of the transmission of the email. This is, of course, aside from the wisdom of displaying verbose error messages of the type found when clicking on this link. ---------- ---Matthew *********** REPLY SEPARATOR *********** On 10/5/2006 at 9:06 PM none () none com wrote:
so sticking ' or 1=1 or any variant like that is all that it takes to conduct a pen test? or just sticking <script> tags into forms and seeing the response is a pen test? is using an web scanner that tests for XSS or SQL injection a pen test? running some BS web scanner against a site isnt a pen test even though alot of people on this list seem to think it is... ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: WAS Informing Companies NOW Announcing ' or 1=1--, (continued)
- RE: WAS Informing Companies NOW Announcing ' or 1=1-- Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: (illegal?) Informing Companies about security vulnerabilities... Nathan Keltner (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: (illegal?) Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- RE: RE: Informing Companies about security vulnerabilities... Levenglick, Jeff (Oct 05)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... stillnone (Oct 05)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- Informing Companies about security vulnerabilities... Erin Carroll (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... v0083mw02 (Oct 06)
- Informing Companies about security vulnerabilities... me (Oct 06)