Page 1 of 1

Security vulnerability

Posted: Wed Aug 10, 2005 12:15 pm
by s.dot
Lets see how evil you guys are. What would you do if you find a security vulnerability on someones web site, no matter how big or small

Posted: Wed Aug 10, 2005 12:20 pm
by shiznatix
i exploit it but without doing any damage. otherwise it might not be a real vulnerability

Posted: Wed Aug 10, 2005 12:29 pm
by John Cartwright
I generally would find the exploit and then report it.
I don't really see how you can not find an exploit by not trying it :wink:

Posted: Wed Aug 10, 2005 2:34 pm
by feyd
firstly, I'd move this thread.

Then it all depends on the threat level of the vulnerability.. if high enough (damaging enough if exploited) I alert the company, giving them (depending on severity) a few weeks to six months to fix. Afterwhich, I make the data "public." .. that is unless they ask me to remain silent. Sometimes I'll wait longer, but also work with them, sorta, to fix it. This is true especially if customer data could be affected.

Posted: Wed Aug 10, 2005 3:18 pm
by shiznatix
Jcart wrote:I generally would find the exploit and then report it.
I don't really see how you can not find an exploit by not trying it :wink:
exactally. like it they acidently are able to let me run linux commands on the server i would check to see if i could read the contents of the dir which would be exploiting it, just to make sure. this would be harmless as im not doing anything but i am exploiting it and then i would tell them that i was able to do things.

i have in the past when not able to find a email address of a admin just done a javascript alert "fix this" thing when you goto a part of the website when i found a vulnerability because i dont have time to wait for that person to respond and with the alert you know they are going to fix it

Posted: Sun Aug 14, 2005 8:01 pm
by shiflett
What is the difference between finding a security vulnerability and exploiting it?

Posted: Sun Aug 14, 2005 8:08 pm
by nielsene
Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)

Exploiting a vulnerability implies
1) "Fooling" around with a known/suspected vulnerability on a live site.
2) Actively tying to escalate a known vulnerability on a live site to a greater vulnerability

Posted: Sun Aug 14, 2005 8:42 pm
by shiflett
nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.

Interesting. :-)

Posted: Sun Aug 14, 2005 9:52 pm
by nielsene
shiflett wrote:
nielsene wrote:Well to me, finding a vulnerabliity implies either
1) code review of public code (open source), possibly with test on a local (reporter's own system)
2) A user, in the course of normal use, noticing that s/he was given access to something s/he shouldn't have access to
3) A user accidentally doing something and 2) (perhaps they editted a bookmark by accident, etc)
Thanks, I guess this is what was meant by the original question. In my opinion, all of these can also be defined as exploiting a vulnerability. Where the code resides, whether the exploit is intentional, and things like this don't alter my definition of exploit.

Interesting. :-)
Even case 1? I can understand some people still calling 2 and 3 exploits, even if uninitentional. Case 1 is not an exploit, unless you consider all code audits/security work exploits.....

Posted: Sun Aug 14, 2005 10:01 pm
by shiflett
nielsene wrote:Even case 1?
Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.

Anyway, I wasn't wanting to spark a debate. I could just tell that I was misunderstanding the original question, because it made no sense to me. :-)

Thanks for clarifying.

Posted: Mon Aug 15, 2005 6:51 am
by Roja
shiflett wrote: Yeah, what you call a test is a synonym for exploit (as I define it). Without exploiting a vulnerability at least once, it's difficult to verify that it's actually a vulnerability. Even when I review code, I can be pretty sure of a vulnerability sometimes, but I really need an exploit to verify it.
I think you hit the nail on the head: It really comes down to a topicality issue - how are things defined?

SANS defines vulnerability as:
Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.
It's important to note that they don't clearly define attacks or exploits, and generally have broad definitions for both that, like you said, often include even testing. A poor choice on settings on a portscan can take certain equipment offline - if that doesn't constitute an attack or an exploit, I fail to understand what would, but its clearly also just a test.

So "exploit" is probably a poor choice of words. It starts to become a question of intent, or motive, which is hard to prove.

Thankfully, the original question is asking people what *they* would do. With that, I think its easier.. The question can fairly be answered with a rewrite of the terms:

Would you attempt to cause damage if you found a vulnerability?

And in that case, I think (nearly) everyone here will say no.