Re: Informing Companies about security vulnerabilities...

["Thor (Hammer of God)" <thor () hammerofgod com>]

On 10/4/06 12:39 PM, "jay.tomas () infosecguru com" <jay.tomas () infosecguru com>
spoketh to all:

> One of the first things that you should teach in your class is Ethical and
> Permission Granted
> Assessments of Public Web sites. You had no right to assess their site, which
> is why you probably
> got a less than a warm reception.
>
> Companies contract and pay for assessment services. A good practice is not to
> interact with some
> party that has chosen to run a few tools and typing in ' or 1=1-- in all the
> available input
> fields.

This really comes down to a matter of opinion, and one of law.  Many times
over the last several years I've "publicly" illustrated potential
vulnerabilities at security conferences and during trainings.

According to my attorney, who is a very respected subject matter expert on
Internet and security law, I have every right to do exactly as I have done.
Publishing a public site explicitly grants me rights to access the site.
Going to the "search" page and entering in ' or 1=1-- is, according to my
attorney, perfectly legal. They host the site publicly, and are *asking me*
to enter something in search textbox. (note US law).

Now, going beyond that--executing code and acquiring internal data from the
back-end servers of the site, well, that's illegal (or can be).  The "how
much is too much" question will ultimately be decided by a judge or jury,
but it does make for interesting dialog.

Personally, I have no problem at all in typing in your standard "test" for
injection.... But I wouldn't do something like collect data and then use
that as an example of vulnerability to provide to the company-- that's just
asking for it.  A warning based on cursory input, sure-- a proof of concept
with you name on it, no way.

I've notified countless companies of potential problems with web-apps, and I
can only think of a couple of times that someone actually got back to me
with a "thanks for that."  I think I got one "I'm going to sue" message that
I just ignored- nothing ever came of it.

So, is it legal to type ' or 1=1-- ?  According to legal experts, yes.  Is
it ethical?  I say "sure." Is it ethical to drop a database?  No.  But,
whether something is legal or not really doesn't have anything to do with
someone trying to sue you for it. So these days, when I come across
something bad enough, the "do-gooder" in me makes me want to at least notify
them - which I do via anonymous email.  Unfortunately, I never know if they
got it or not, but at least I tried.  Statistics tell me that no one will
bother doing anything about it, and CYA now dictates I do it that way, legal
or not. 

t




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------