Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 04 Oct 2006 14:58:00 -0700
On 10/4/06 12:39 PM, "jay.tomas () infosecguru com" <jay.tomas () infosecguru com> spoketh to all:
One of the first things that you should teach in your class is Ethical and Permission Granted Assessments of Public Web sites. You had no right to assess their site, which is why you probably got a less than a warm reception. Companies contract and pay for assessment services. A good practice is not to interact with some party that has chosen to run a few tools and typing in ' or 1=1-- in all the available input fields.
This really comes down to a matter of opinion, and one of law. Many times over the last several years I've "publicly" illustrated potential vulnerabilities at security conferences and during trainings. According to my attorney, who is a very respected subject matter expert on Internet and security law, I have every right to do exactly as I have done. Publishing a public site explicitly grants me rights to access the site. Going to the "search" page and entering in ' or 1=1-- is, according to my attorney, perfectly legal. They host the site publicly, and are *asking me* to enter something in search textbox. (note US law). Now, going beyond that--executing code and acquiring internal data from the back-end servers of the site, well, that's illegal (or can be). The "how much is too much" question will ultimately be decided by a judge or jury, but it does make for interesting dialog. Personally, I have no problem at all in typing in your standard "test" for injection.... But I wouldn't do something like collect data and then use that as an example of vulnerability to provide to the company-- that's just asking for it. A warning based on cursory input, sure-- a proof of concept with you name on it, no way. I've notified countless companies of potential problems with web-apps, and I can only think of a couple of times that someone actually got back to me with a "thanks for that." I think I got one "I'm going to sue" message that I just ignored- nothing ever came of it. So, is it legal to type ' or 1=1-- ? According to legal experts, yes. Is it ethical? I say "sure." Is it ethical to drop a database? No. But, whether something is legal or not really doesn't have anything to do with someone trying to sue you for it. So these days, when I come across something bad enough, the "do-gooder" in me makes me want to at least notify them - which I do via anonymous email. Unfortunately, I never know if they got it or not, but at least I tried. Statistics tell me that no one will bother doing anything about it, and CYA now dictates I do it that way, legal or not. t ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities..., (continued)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)
- Re: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 04)
- Re: Informing Companies about security vulnerabilities... techlists (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 05)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 05)