RE: Informing Companies about security vulnerabilities...
So you are admitting publicly that you and a class of students that you teach
are illegally testing random public
websites for the purpose of learning about security vulnerabilities? Sounds
like you/your company need to speak
with a lawyer.
- Robert
http://www.cgisecurity.com/ Application Security news and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Joseph McCray
Sent: Wednesday, October 04, 2006 3:07 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Informing Companies about security vulnerabilities...
This probably won't sound like that big of a deal, but it still bothered me so
I figured I'd ask the list. I was teaching a Web Application Security class
last week and we were performing simple XXS, SQL Injection, etc on the
vulnerable web apps I use for class.
Normally, I go to a live public website or two during the class and we talk
about common tests to perform and how to approach certain types of websites. A
common subject is how to handle large website with tons of dymanic content - so
the class chose a major newspaper's website for the discussion.
Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept finding
another, after another and on and on. Over 600 instances of XXS, over 200 SQL
Injection - this was bad. After a while it started to get boring there was so
many....
So I drafted a letter to the editor as well as several other prominent people
at the newspaper. It detailed my finding and recommended some possible
mitigation strategies. After emailing this I didn't hear anything for a few
days, so I emailed it again and followed up with a phone call. After getting no
response to the second email and then having been bounced around from
department to department when I called I just said forget it.
Has anyone else gone through a similar situation? Was the company receptive?
Other companies I've contacted in the past have been quite receptive - I'm just
curious if other people have gone through this as well.
No need to fill the list with this, you can email me directly with your inputs
and stories.
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access