Re: [Full-disclosure] posting xss notifications in sites vs software packages
Wellin Germany...our law regarding security in general is very, very vague. It basically says that you have to go to prison if you produce or publish any information and/or tools (for so-called hacking-purposes) in preparation for a criminal offense. And: if you get unauthorized access to data which is specially secured by evading the security mechanisms. But The European Expert Group for IT Security says that especially the first part does not apply if you're dealing with information and tools in a good-natured way using e.g. a detailed reporting or documentation. So i think it's hard to say if looking for a custom website vulnerability (and finally not using it for bad purposes) is illegal...at least it depends on how the judge defines criminal offense and interprets your behavior. @Valdis: Therefor: agree :) Regards Julien. On 02/09/2012 03:23 AM, valdis.kletni...@vt.edu wrote: On Wed, 08 Feb 2012 17:30:18 +0100, Info said: A general question: is it legal to search for XSS vulnerabilities on custom websites ? Yes. No. Maybe. Depends where you live, where the web server is physically located, and where the corporate headquarters are. In the US, the law you need to worry about most is 18 USC 1030: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html ... having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information... It's going to come down to whether the jury believes the prosecutor's version or your version of what exceeding authorized access means - which is why professional pen testers make sure they get a Get Out Of Jail Free card, and negotiate rules of engagement (what's allowed, what's not) as part of the contract. You amature pen testers are on your own. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] posting xss notifications in sites vs software packages
What is the point of posting notifications of XSS vulnerabilities in specific web sites instead of alerts of xss vulns in specific software packages? This question was prompted by all the postings by that vulnerability lab stuff. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
Typically you will run into instances where a website is employing a custom CMS/plugin/module/whatever and as such there may not be a specific software to call out as the one at fault. It's like finding an XSS in Microsoft, 99% chance they are running their own custom CMS so at that point you are just left with saying that Microsoft is vulnerable to XSS as there is no name to the software at hand. On Tue, Feb 7, 2012 at 6:18 PM, b b...@advisoryalerts.com wrote: What is the point of posting notifications of XSS vulnerabilities in specific web sites instead of alerts of xss vulns in specific software packages? This question was prompted by all the postings by that vulnerability lab stuff. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
On Tue, Feb 07, 2012 at 06:18:24PM -0500, b wrote: What is the point of posting notifications of XSS vulnerabilities in specific web sites instead of alerts of xss vulns in specific software packages? This question was prompted by all the postings by that vulnerability lab stuff. In some cases, a cross site scripting vulnerability in a given site can affect a large user base and the code is custom to the business. As an example, a cross site scripting issue in gmail is probably more catastrophic than a cross site scripting vuln in some half-rate CMS. Not to mention there's the other situation where small website design shops repackage other open source code, brand it as part of their offering, and never provide updates to their customers. The Internet is a mess. $0.02 -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
On Tue, Feb 7, 2012 at 4:18 PM, b b...@advisoryalerts.com wrote: What is the point of posting notifications of XSS vulnerabilities in specific web sites instead of alerts of xss vulns in specific software packages? I think there are at least 2 reasons: 1. We have pretty good data about bugs in published software packages because those vendors will usually disclose the issues and we can track it and know what's going on. But we don't have good data for security bugs in completely custom code. I think it's helpful to prove the point that custom code has security bugs too, even if we don't see CVE numbers for it. 2. If you are a customer of one of those sites you can use the knowledge of a bug in the site to take proactive measures like disabling javascript/flash/java/etc. when visiting that site if you know it has xss. Or simply not logging in until a CSRF issue is fixed. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
A general question: is it legal to search for XSS vulnerabilities on custom websites ? Julien On 02/08/2012 04:37 PM, Packet Storm wrote: On Tue, Feb 07, 2012 at 06:18:24PM -0500, b wrote: What is the point of posting notifications of XSS vulnerabilities in specific web sites instead of alerts of xss vulns in specific software packages? This question was prompted by all the postings by that vulnerability lab stuff. In some cases, a cross site scripting vulnerability in a given site can affect a large user base and the code is custom to the business. As an example, a cross site scripting issue in gmail is probably more catastrophic than a cross site scripting vuln in some half-rate CMS. Not to mention there's the other situation where small website design shops repackage other open source code, brand it as part of their offering, and never provide updates to their customers. The Internet is a mess. $0.02 -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
On Wed, 08 Feb 2012 17:30:18 +0100, Info said: A general question: is it legal to search for XSS vulnerabilities on custom websites ? Yes. No. Maybe. Depends where you live, where the web server is physically located, and where the corporate headquarters are. In the US, the law you need to worry about most is 18 USC 1030: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html ... having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information... It's going to come down to whether the jury believes the prosecutor's version or your version of what exceeding authorized access means - which is why professional pen testers make sure they get a Get Out Of Jail Free card, and negotiate rules of engagement (what's allowed, what's not) as part of the contract. You amature pen testers are on your own. ;) pgp3webTpIuIc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] posting xss notifications in sites vs software packages
Typically if you are in the US, are testing a server in the US owned by a company headquartered in the US it is legal to find Reflective XSS so long as you don't crash any services. Crashing any services can be seen as a DoS attack and then you are screwed. Moreover if you crash a service and cost the company more than 5k USD then you have a risk of the FBI trying you for cybercrime. *I DO NOT CONDONE TESTING SITES YOU DON'T HAVE PERMISSION TO TEST* On Wed, Feb 8, 2012 at 9:23 PM, valdis.kletni...@vt.edu wrote: On Wed, 08 Feb 2012 17:30:18 +0100, Info said: A general question: is it legal to search for XSS vulnerabilities on custom websites ? Yes. No. Maybe. Depends where you live, where the web server is physically located, and where the corporate headquarters are. In the US, the law you need to worry about most is 18 USC 1030: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html ... having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information... It's going to come down to whether the jury believes the prosecutor's version or your version of what exceeding authorized access means - which is why professional pen testers make sure they get a Get Out Of Jail Free card, and negotiate rules of engagement (what's allowed, what's not) as part of the contract. You amature pen testers are on your own. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/