Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities...
From: gat0r <gat0r () toughguy net>
Date: Wed, 04 Oct 2006 21:44:29 -0600
If the armchair lawyers and their lap dogs are done giving their free advice and stroking their egos... Perhaps we could get some input from some people who have actually done some real security work and audits on this situation, legal opinions on scanning a public website aside. Thanks to Steve for a decent response to the question. Frankly its naïve to a have internet public facing anything and not expect it to get scanned and (at some point) owned. I would personally rather get an email from a guy helping me fix my site versus waking up and not having the index.html I left it with the day before. And a defacement is probably the lesser of all the potential evils... -G On 10/4/06 2:10 PM, "Brian.Marino () onenterprises com" <Brian.Marino () onenterprises com> wrote:
My sentiments exactly. bugtraq@cgisecuri ty.net Sent by: To listbounce@securi joe () learnsecurityonline com;, tyfocus.com pen-test () securityfocus com cc bugtraq () securityfocus com 10/04/2006 03:15 Subject PM RE: Informing Companies about security vulnerabilities... So you are admitting publicly that you and a class of students that you teach are illegally testing random public websites for the purpose of learning about security vulnerabilities? Sounds like you/your company need to speak with a lawyer. - Robert http://www.cgisecurity.com/ Application Security news and more http://www.cgisecurity.com/index.rss [RSS Security Feed] -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph McCray Sent: Wednesday, October 04, 2006 3:07 AM To: pen-test () securityfocus com Subject: Informing Companies about security vulnerabilities... This probably won't sound like that big of a deal, but it still bothered me so I figured I'd ask the list. I was teaching a Web Application Security class last week and we were performing simple XXS, SQL Injection, etc on the vulnerable web apps I use for class. Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so the class chose a major newspaper's website for the discussion. Usually when we do this we only find a few simple things (XXS for example) - no big deal right. With this particular website we just kept finding another, after another and on and on. Over 600 instances of XXS, over 200 SQL Injection - this was bad. After a while it started to get boring there was so many.... So I drafted a letter to the editor as well as several other prominent people at the newspaper. It detailed my finding and recommended some possible mitigation strategies. After emailing this I didn't hear anything for a few days, so I emailed it again and followed up with a phone call. After getting no response to the second email and then having been bounced around from department to department when I called I just said forget it. Has anyone else gone through a similar situation? Was the company receptive? Other companies I've contacted in the past have been quite receptive - I'm just curious if other people have gone through this as well. No need to fill the list with this, you can email me directly with your inputs and stories. -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016000000 08bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016000000 08bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities..., (continued)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)
- RE: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... gat0r (Oct 06)
- Re: Informing Companies about security vulnerabilities... Dragos Ruiu (Oct 05)
- RE: Informing Companies about security vulnerabilities... Brian . Marino (Oct 04)
- Re: Informing Companies about security vulnerabilities... jay.tomas (Oct 04)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- Re: Informing Companies about security vulnerabilities... Stefano Zanero (Oct 05)
- Re: Informing Companies about security vulnerabilities... Thor (Hammer of God) (Oct 04)
- RE: Informing Companies about security vulnerabilities... Krpata, Tyler (Oct 04)
- Re: Informing Companies about security vulnerabilities... bugtraq (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 04)
- Re: Informing Companies about security vulnerabilities... techlists (Oct 04)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)