Security vulnerability
Moderator: General Moderators
Security vulnerability
Lets see how evil you guys are. What would you do if you find a security vulnerability on someones web site, no matter how big or small
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
firstly, I'd move this thread.
Then it all depends on the threat level of the vulnerability.. if high enough (damaging enough if exploited) I alert the company, giving them (depending on severity) a few weeks to six months to fix. Afterwhich, I make the data "public." .. that is unless they ask me to remain silent. Sometimes I'll wait longer, but also work with them, sorta, to fix it. This is true especially if customer data could be affected.
Then it all depends on the threat level of the vulnerability.. if high enough (damaging enough if exploited) I alert the company, giving them (depending on severity) a few weeks to six months to fix. Afterwhich, I make the data "public." .. that is unless they ask me to remain silent. Sometimes I'll wait longer, but also work with them, sorta, to fix it. This is true especially if customer data could be affected.
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
exactally. like it they acidently are able to let me run linux commands on the server i would check to see if i could read the contents of the dir which would be exploiting it, just to make sure. this would be harmless as im not doing anything but i am exploiting it and then i would tell them that i was able to do things.Jcart wrote:I generally would find the exploit and then report it.
I don't really see how you can not find an exploit by not trying it
i have in the past when not able to find a email address of a admin just done a javascript alert "fix this" thing when you goto a part of the website when i found a vulnerability because i dont have time to wait for that person to respond and with the alert you know they are going to fix it
Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Exploiting a vulnerability implies
1) "Fooling" around with a known/suspected vulnerability on a live site.
2) Actively tying to escalate a known vulnerability on a live site to a greater vulnerability
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Exploiting a vulnerability implies
1) "Fooling" around with a known/suspected vulnerability on a live site.
2) Actively tying to escalate a known vulnerability on a live site to a greater vulnerability
Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Interesting. :-)
Even case 1? I can understand some people still calling 2 and 3 exploits, even if uninitentional. Case 1 is not an exploit, unless you consider all code audits/security work exploits.....shiflett wrote:Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Interesting.
Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.nielsene wrote:Even case 1?
Anyway, I wasn't wanting to spark a debate. I could just tell that I was misunderstanding the original question, because it made no sense to me. :-)
Thanks for clarifying.
I think you hit the nail on the head: It really comes down to a topicality issue - how are things defined?shiflett wrote: Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.
SANS defines vulnerability as:
It's important to note that they don't clearly define attacks or exploits, and generally have broad definitions for both that, like you said, often include even testing. A poor choice on settings on a portscan can take certain equipment offline - if that doesn't constitute an attack or an exploit, I fail to understand what would, but its clearly also just a test.Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.
So "exploit" is probably a poor choice of words. It starts to become a question of intent, or motive, which is hard to prove.
Thankfully, the original question is asking people what *they* would do. With that, I think its easier.. The question can fairly be answered with a rewrite of the terms:
Would you attempt to cause damage if you found a vulnerability?
And in that case, I think (nearly) everyone here will say no.