Dynamik, it's all good. I think we were actually complementing each others comments now. I'm saying don't go running through like a grain thresher through a field, you're saying don't take 3 months to do the test.

I just have confidence issues. Probably because I keep interviewing for Security based jobs, and end up not getting hired. But that's been par for the course of my carrier over the last 4 years. Interview, interview, interview. Have things said (You're our top choice, the job is yours, we don't want you for this job, but we have another we want you to do, etc), but end up getting called by HR / Head Hunter and told they went with someone else (or they drag their feet for 3 months).

Really does make you feel like you're only choice after getting over 10 years IT related experience is to branch out and go you're own way. But that's not what I want to do.

dynamik,

CISSIP is on my list. Just probably not for a year or so. Want to do some other things first. OSCP, CCNA Security, etc. I think part of it is lacking a four year college degree.


After I got burnt out on IT, while I was living off savings and going to school (other thread), I started my own business.  I specialized in networking, mostly SOHO networks and wireless networks, and Unix / Linux builds and troubleshooting. Mostly, I had people coming to me to remove viruses and the like from their windows boxes.

AS for working for myself. I hate charging customers when I can't get something to work, or over charging them more hours because I found other things that had to be fixed first before what I was hired for. Or having things go horribly wrong and taking longer than I said I would need.

I hate dealing with Quarterly Taxes, where you have to Estimate your income for the year. The lack of health insurance when you don't know how often you're going to have money to pay it, the dead beat clients you have to sue and still get nothing from.

I hate the rubbing of elbows, self marketing, always having to be professional, having the regular staff hate you fore being the hired gun / specialized troubleshooter etc.

Thanks Seen for sharing your results with us, but when you say:

It looks almost too good to me. How many requests were you making per second? How did you ensure that there was no DoS? Maybe the passwords were weak, but usually, getting 8 out of 10 passwords means something was wrong with the passwords...

A suggestion might be to tell the developers to implement strong password controls...

Anyway, if you didn't cause a DoS, congrats!!

Oups sorry... 

I guess I bruteforce passwords and I enumerate usernames... 

Good job Seen!

It's usually quite hard to make people aware of security. It seems you just successfully did that!

Keep searching for other vulnerabilities on the web site. Even if you can't exploit them, it's always good to show you didn't stop at the first "victory".

Keep on the good work!