From: Clemens, Dan (Dan.Clemens@healthsouth.com)
Date: Wed Oct 04 2006 - 15:31:02 EDT
Joe,
>Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to
>approach certain types of websites. A common subject is how to handle
large website with tons of dymanic content - so
>the class chose a major newspaper's website for the discussion.
Do you normally perform security assessments or pentests against
networks that do not give you permission to do so?
>Usually when we do this we only find a few simple things (XXS for
>example) - no big deal right. With this particular website we just kept
finding another, after another and on and on.
> Over 600 instances of XXS, over 200 SQL Injection - this was bad.
After a while it started to get boring there was so
>many....
>So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding
>and recommended some possible mitigation strategies. After emailing
this I didn't hear anything for a few days, so I
>emailed it again and followed up with a phone call. After getting no
response to the second email and then having been
>bounced around from department to department when I called I just said
forget it.
>Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past >have been quite
receptive - I'm just curious if other people have gone through this as
well.
I think I can speak for most people on the list saying - it sounds like
what your doing is unacceptable and unprofessional.
If you stumble across vulnerabilities you should report them, but please
don't have an entire class of individuals testing someone's web
application without being granted permission to do so.
The newspaper is probably gathering their legal team for a formal
response and possible legal action against you at this very moment.
In fact , they probably found this archive of admission logged on the
internet and collected it for their evidence :P
-Daniel Clemens
-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:05 EDT