Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: Brian.Marino () onenterprises com
Date: Wed, 4 Oct 2006 16:10:31 -0400
My sentiments exactly.
bugtraq@cgisecuri
ty.net
Sent by: To
listbounce@securi joe () learnsecurityonline com;,
tyfocus.com pen-test () securityfocus com
cc
bugtraq () securityfocus com
10/04/2006 03:15 Subject
PM RE: Informing Companies about
security vulnerabilities...
So you are admitting publicly that you and a class of students that you
teach are illegally testing random public
websites for the purpose of learning about security vulnerabilities? Sounds
like you/your company need to speak
with a lawyer.
- Robert
http://www.cgisecurity.com/ Application Security news and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Joseph McCray
Sent: Wednesday, October 04, 2006 3:07 AM
To: pen-test () securityfocus com
Subject: Informing Companies about security vulnerabilities...
This probably won't sound like that big of a deal, but it still bothered me
so I figured I'd ask the list. I was teaching a Web Application Security
class last week and we were performing simple XXS, SQL Injection, etc on
the vulnerable web apps I use for class.
Normally, I go to a live public website or two during the class and we talk
about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion.
Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....
So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear anything
for a few days, so I emailed it again and followed up with a phone call.
After getting no response to the second email and then having been bounced
around from department to department when I called I just said forget it.
Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.
No need to fill the list with this, you can email me directly with your
inputs and stories.
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe () learnsecurityonline com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities..., (continued)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)
- Re: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 04)
- Re: Informing Companies about security vulnerabilities... techlists (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)