Security vulnerability

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply

What would you do if you found a security hole?

Exploit it, don't tell webmaster
1
5%
Exploit it, tell webmaster
9
47%
Don't exploit it, tell webmaster
9
47%
Don't do anything, leave site
0
No votes
 
Total votes: 19

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Security vulnerability

Post by s.dot »

Lets see how evil you guys are. What would you do if you find a security vulnerability on someones web site, no matter how big or small
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

i exploit it but without doing any damage. otherwise it might not be a real vulnerability
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I generally would find the exploit and then report it.
I don't really see how you can not find an exploit by not trying it :wink:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

firstly, I'd move this thread.

Then it all depends on the threat level of the vulnerability.. if high enough (damaging enough if exploited) I alert the company, giving them (depending on severity) a few weeks to six months to fix. Afterwhich, I make the data "public." .. that is unless they ask me to remain silent. Sometimes I'll wait longer, but also work with them, sorta, to fix it. This is true especially if customer data could be affected.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

Jcart wrote:I generally would find the exploit and then report it.
I don't really see how you can not find an exploit by not trying it :wink:
exactally. like it they acidently are able to let me run linux commands on the server i would check to see if i could read the contents of the dir which would be exploiting it, just to make sure. this would be harmless as im not doing anything but i am exploiting it and then i would tell them that i was able to do things.

i have in the past when not able to find a email address of a admin just done a javascript alert "fix this" thing when you goto a part of the website when i found a vulnerability because i dont have time to wait for that person to respond and with the alert you know they are going to fix it
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

What is the difference between finding a security vulnerability and exploiting it?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)

Exploiting a vulnerability implies
1) "Fooling" around with a known/suspected vulnerability on a live site.
2) Actively tying to escalate a known vulnerability on a live site to a greater vulnerability
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.

Interesting. :-)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

shiflett wrote:
nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.

Interesting. :-)
Even case 1? I can understand some people still calling 2 and 3 exploits, even if uninitentional. Case 1 is not an exploit, unless you consider all code audits/security work exploits.....
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

nielsene wrote:Even case 1?
Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.

Anyway, I wasn't wanting to spark a debate. I could just tell that I was misunderstanding the original question, because it made no sense to me. :-)

Thanks for clarifying.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

shiflett wrote: Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.
I think you hit the nail on the head: It really comes down to a topicality issue - how are things defined?

SANS defines vulnerability as:
Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.
It's important to note that they don't clearly define attacks or exploits, and generally have broad definitions for both that, like you said, often include even testing. A poor choice on settings on a portscan can take certain equipment offline - if that doesn't constitute an attack or an exploit, I fail to understand what would, but its clearly also just a test.

So "exploit" is probably a poor choice of words. It starts to become a question of intent, or motive, which is hard to prove.

Thankfully, the original question is asking people what *they* would do. With that, I think its easier.. The question can fairly be answered with a rewrite of the terms:

Would you attempt to cause damage if you found a vulnerability?

And in that case, I think (nearly) everyone here will say no.
Post Reply