Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re[4]: Informing Companies about security vulnerabilities...

From: "Matthew Leeds" <mleeds () theleeds net>
Date: Fri, 06 Oct 2006 09:11:54 -0700
I'm on a mailing list from a publishing company. They send out HTML formatted email, I use a POP client that can be 
toggled to not render HTML. Consequently I get something that looks like this:

==========snip==============

Adobe Adds Blogging to Contribute 4
<http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335>

Adobe Systems Incorporated has announced the immediate availability of
Adobe Contribute 4 software, a new version of its web publishing
solution designed for business, education, and government workers to
contribute content to the web without having to learn HTML.
[
http://www.econtentmag.com/Articles/ArticleReader.aspx?ArticleID=18335]
[ Back to Contents...]

==========snip==============

Now, clicking on the first link works correctly, however the second renders interesting results. Would my clicking on 
the second link be considered a trespass? A pen test? The form of the link is an artifact of the transmission of the 
email.

This is, of course, aside from the wisdom of displaying verbose error messages of the type found when clicking on this 
link.

----------
---Matthew
*********** REPLY SEPARATOR  ***********

On 10/5/2006 at 9:06 PM none () none com wrote:


so sticking ' or 1=1  or any variant like that is all that it takes to
conduct a pen test?

or just sticking <script> tags into forms and seeing the response is  a
pen test?

is using an web scanner that tests for XSS or SQL injection a pen test?

running some BS web scanner against a site isnt a pen test even though
alot of people on this list seem to think it is...

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------





------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: