Informing Companies about security vulnerabilities...

This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.


Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion.

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....

So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear
anything for a few days, so I emailed it again and followed up with a
phone call. After getting no response to the second email and then
having been bounced around from department to department when I called I
just said forget it.

Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.

No need to fill the list with this, you can email me directly with your
inputs and stories.

--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access

Attachment: signature.asc
Description: This is a digitally signed message part

Relevant Pages

  • RE: Informing Companies about security vulnerabilities...
    ... I was teaching a Web Application ... Security class last week and we were performing simple XXS, ... etc on the vulnerable web apps I use for class. ... I go to a live public website or two during the class and we ...
    (Pen-Test)
  • Re: Informing Companies about security vulnerabilities...
    ... got a less than a warm reception. ... Security class last week and we were performing simple XXS, ... etc on the vulnerable web apps I use for class. ... I go to a live public website or two during the class and we ...
    (Pen-Test)
  • Re: database server audit tools
    ... This thing was pretty limited last time I looked at it, and had no database audit capabilities. ... this is a nice SQL injection testing tool. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: sql injection: url or form based?
    ... start putting your SQL injection magic in the input boxes to ... Hackers are concentrating their efforts on attacking applications ... Check your website for vulnerabilities to SQL injection, ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • RE: MS SQL, find list of tables
    ... I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)