Penetration Testing mailing list archives
Re: Informing Companies about security vulnerabilities..
From: Dragos Ruiu <dr () pacsec jp>
Date: Thu, 5 Oct 2006 11:50:52 -0700
On Thursday 05 October 2006 10:59, bugtraq () cgisecurity net wrote:
Sound like you need to consider your response. I'll let the lawyers correct me, but AFAIK unless the thing you are pointing them at contravenes some laws, merely posting something with a cross site reference to a site does not constitute prohibited behaviour anywhere I know of, and there are many legitimate contexts to be doing this in (as well as the unitended ones) and intentional reasons why some sites explicitly allow this (for better or for worse).If that is what he did then yes. However if you read the email you'd know he did in fact test it (in his words), more below.Maybe you need to consult your lawyer :-).
My point exactly is that _testing_ XSS is not necesarily malicious or illegal. Which is what you were implying. Using it to plant malicious content is another matter, but lets not go around trying to criminalize rattling a doorknob to see if it is locked. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 27-30 2006 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Informing Companies about security vulnerabilities.. bugtraq (Oct 05)
- Re: Informing Companies about security vulnerabilities.. Dragos Ruiu (Oct 06)