Penetration Testing mailing list archives

Informing Companies about security vulnerabilities...

From: Joseph McCray <joe () learnsecurityonline com>
Date: Wed, 04 Oct 2006 03:07:12 -0400

This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.


Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion. 

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....

So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear
anything for a few days, so I emailed it again and followed up with a
phone call. After getting no response to the second email and then
having been bounced around from department to department when I called I
just said forget it.

Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.

No need to fill the list with this, you can email me directly with your
inputs and stories.

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
  - RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
  - Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
  - Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
    - Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
  - Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
    - Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
    - Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)

(Thread continues...)