RE: Informing Companies about security vulnerabilities...
- From: "Clemens, Dan" <Dan.Clemens@xxxxxxxxxxxxxxx>
- Date: Wed, 4 Oct 2006 14:31:02 -0500
Joe,
Normally, I go to a live public website or two during the class and wetalk about common tests to perform and how to
approach certain types of websites. A common subject is how to handlelarge website with tons of dymanic content - so
the class chose a major newspaper's website for the discussion.
Do you normally perform security assessments or pentests against
networks that do not give you permission to do so?
Usually when we do this we only find a few simple things (XXS forfinding another, after another and on and on.
example) - no big deal right. With this particular website we just kept
Over 600 instances of XXS, over 200 SQL Injection - this was bad.After a while it started to get boring there was so
many....
So I drafted a letter to the editor as well as several other prominentpeople at the newspaper. It detailed my finding
and recommended some possible mitigation strategies. After emailingthis I didn't hear anything for a few days, so I
emailed it again and followed up with a phone call. After getting noresponse to the second email and then having been
bounced around from department to department when I called I just saidforget it.
Has anyone else gone through a similar situation? Was the companyreceptive? Other companies I've contacted in the past >have been quite
receptive - I'm just curious if other people have gone through this as
well.
I think I can speak for most people on the list saying - it sounds like
what your doing is unacceptable and unprofessional.
If you stumble across vulnerabilities you should report them, but please
don't have an entire class of individuals testing someone's web
application without being granted permission to do so.
The newspaper is probably gathering their legal team for a formal
response and possible legal action against you at this very moment.
In fact , they probably found this archive of admission logged on the
internet and collected it for their evidence :P
-Daniel Clemens
-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- Informing Companies about security vulnerabilities...
- From: Joseph McCray
- Informing Companies about security vulnerabilities...
- Prev by Date: RE: Informing Companies about security vulnerabilities...
- Next by Date: Re: Informing Companies about security vulnerabilities...
- Previous by thread: Informing Companies about security vulnerabilities...
- Next by thread: Re: Informing Companies about security vulnerabilities...
- Index(es):
Relevant Pages
|
