Re: Informing Companies about security vulnerabilities...

From: jay.tomas@infosecguru.com
Date: Wed Oct 04 2006 - 15:39:31 EDT


I dont want this to come across as a flame. But want to be clear and direct with my message.

One of the first things that you should teach in your class is Ethical and Permission Granted
Assessments of Public Web sites. You had no right to assess their site, which is why you probably
got a less than a warm reception.

Companies contract and pay for assessment services. A good practice is not to interact with some
party that has chosen to run a few tools and typing in ' or 1=1-- in all the available input
fields.

This is responsible approach to assessment. I would suggest you spend some time with Foundstone or
OWASP to get some of their test environments, e.g. HACME BANK, WEBGOAT for your presentations.

----- Original Message -----
From: Joseph McCray
To: pen-test@securityfocus.com
Sent: Wed, 04 Oct 2006 03:07:12 -0400
Subject: Informing Companies about security vulnerabilities...

This probably won't sound like that big of a deal, but it still bothered
me so I figured I'd ask the list. I was teaching a Web Application
Security class last week and we were performing simple XXS, SQL
Injection, etc on the vulnerable web apps I use for class.

Normally, I go to a live public website or two during the class and we
talk about common tests to perform and how to approach certain types of
websites. A common subject is how to handle large website with tons of
dymanic content - so the class chose a major newspaper's website for the
discussion.

Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept
finding another, after another and on and on. Over 600 instances of XXS,
over 200 SQL Injection - this was bad. After a while it started to get
boring there was so many....

So I drafted a letter to the editor as well as several other prominent
people at the newspaper. It detailed my finding and recommended some
possible mitigation strategies. After emailing this I didn't hear
anything for a few days, so I emailed it again and followed up with a
phone call. After getting no response to the second email and then
having been bounced around from department to department when I called I
just said forget it.

Has anyone else gone through a similar situation? Was the company
receptive? Other companies I've contacted in the past have been quite
receptive - I'm just curious if other people have gone through this as
well.

No need to fill the list with this, you can email me directly with your
inputs and stories.

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:05 EDT