HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 44 guests and 2 members online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow Disclosing web application issue
EH-Net
May 21, 2013, 12:46:27 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Disclosing web application issue  (Read 3563 times)
0 Members and 1 Guest are viewing this topic.
millwalll
Guest
« on: April 02, 2012, 10:18:54 AM »
Hi all,

Recently I have been searching the web as you do and notice a lot of issue on sites I have visited like:

Password being stored in plain text
user enumeration
credit cards not stored correctly

so on

I just want to find out if this was you would you disclose them or just ignore because it not worth the hassle ? also how would you disclose them I have sent email asking if they have security team but no reply so far.
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1632



View Profile
« Reply #1 on: April 02, 2012, 10:40:51 AM »
Just curious, Jamie...

How are you finding these issues?  How is it you know where things are stored, and how they're stored?

This isn't exactly something you should randomly be looking at websites for, if you're not asked / contracted to...

That said, depending on the site, you could contact them to resolve it.  However, be warned that they might wonder why you were poking around their site to begin with.  Some folks might not take your actions lightly, even if well-intentioned...   So it's up to you.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #2 on: April 02, 2012, 10:44:43 AM »
I would also be hesitant to start the conversation with, "Do you guys have a security team?"

That would, first of all, put me on the defensive from the get-go. Secondly, I'd probably expect to hear you say something along the lines of, "Well, if you don't, I can help you out." After disclosing a security vulnerability unsolicited, this can be construed as unethical behavior.
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
millwalll
Guest
« Reply #3 on: April 02, 2012, 11:43:23 AM »
well I  was using a site but forgot my password and noticed it got sent to me as plain text so would be a really good indication that they not being encrypted in database.

and again was using a site with my username but could not remember my password noticed the error message telling me username was valid but password was not and on same site I decide to see what info they had on me saw the bit to add credit card so made a number up to see and when I went back into it the whole number was on show not even like **********1234 so would assume they storing CC wrong

so was not really looking for the issue they just stood out when using the normal features of the site.

I feel as ethical hacker I should tell them but on the other side I feel they think I am after something or been trying own them or something and end up doing more hard than good.
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1632



View Profile
« Reply #4 on: April 02, 2012, 11:56:56 AM »
I was hoping your reasons were as such.

Either way, it's up to you if you want to discuss with them, or not.  Again, just note, that if you weren't asked or contracted to analyze them, you'd better be ready to play really dumb when they ask you why you were posting dummy credit card numbers, etc.  They could 'possibly' interpret that as credit card fraud, as well.  (Depending on where you stored it, and why...)

Just be cautious...
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
millwalll
Guest
« Reply #5 on: April 02, 2012, 11:59:06 AM »
Yah that why I wanted to get some advice as didn't want put my two feet in it and end up getting into trouble for trying to be helpful.
Logged
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #6 on: April 04, 2012, 12:40:42 PM »
I suggest you contact them in an officially looking e-mail where you point out that you haven't attacked them but rather observed how their website function and that the current structure is insecure. Make sure you point out you're doing it for free and that you're not selling any services. (Otherwise they might see it as blackmail, I've experienced that on a few occasions where I even stated it was free.)

Also, you can write to the webmaster or perhaps if they have a security department those as well, but usually you get the fastest response and activity via HR. When I've contacted administrators directly I've mostly been met with hatred or ignorance. In some cases my direct contact with e.g., the webmaster has been much appreciated though.

Some companies may take this as a personal insult or attack as well, so be prepared for whatever response they come up. Some will also say they're going to fix it, and then it won't get fixed, even a year after, and we're talking about quite serious vulnerabilities here too.
Logged
I'm an InterN0T'er
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.104 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.