Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (illegal?) Informing Companies about security vulnerabilities...

From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Thu, 5 Oct 2006 17:02:49 -0500
 


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff



Proof that -He knows that he did.
Because he is teaching a class on security he should know it 
is illegal 


What, exactly, is illegal about it?

I see people keep saying this, but no meat to the comments.

Maybe, perhaps, this is defined by HTML tags in some courts?

<b> is legal but <script> is not? How about hex html encoding?
Or what do you consider XSS testing?

I submit what is legal has nothing to do with these things,
in the US, and to a lesser degree, the UK laws. I do not
know unfortunately enough about EU laws to comment.

Someone said you have to see sensitive data to validate SQL
injection, which is a naïve statement. In certain cases, say
using MS tsql queries, I can tell quite easily if I can inject
SQL by terminating the query using:  ;--

Some simply with: '

That is SQL syntax. That is SQL Injection. That does not expose
any sensitive data, and is also, evidently, valid input.

Did I hack? Is it illegal?

Please. The real threat is the injury & impact lawsuit from
a misguided entity with deep pockets, not the criminal courts.

</mindless_speculations>

-ae



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: