.

Disclosing web application issue

<<

millwalll

Post Mon Apr 02, 2012 10:18 am

Disclosing web application issue

Hi all,

Recently I have been searching the web as you do and notice a lot of issue on sites I have visited like:

Password being stored in plain text
user enumeration
credit cards not stored correctly

so on

I just want to find out if this was you would you disclose them or just ignore because it not worth the hassle ? also how would you disclose them I have sent email asking if they have security team but no reply so far.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Apr 02, 2012 10:40 am

Re: Disclosing web application issue

Just curious, Jamie...

How are you finding these issues?  How is it you know where things are stored, and how they're stored?

This isn't exactly something you should randomly be looking at websites for, if you're not asked / contracted to...

That said, depending on the site, you could contact them to resolve it.  However, be warned that they might wonder why you were poking around their site to begin with.  Some folks might not take your actions lightly, even if well-intentioned...  So it's up to you.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Apr 02, 2012 10:44 am

Re: Disclosing web application issue

I would also be hesitant to start the conversation with, "Do you guys have a security team?"

That would, first of all, put me on the defensive from the get-go. Secondly, I'd probably expect to hear you say something along the lines of, "Well, if you don't, I can help you out." After disclosing a security vulnerability unsolicited, this can be construed as unethical behavior.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

millwalll

Post Mon Apr 02, 2012 11:43 am

Re: Disclosing web application issue

well I  was using a site but forgot my password and noticed it got sent to me as plain text so would be a really good indication that they not being encrypted in database.

and again was using a site with my username but could not remember my password noticed the error message telling me username was valid but password was not and on same site I decide to see what info they had on me saw the bit to add credit card so made a number up to see and when I went back into it the whole number was on show not even like **********1234 so would assume they storing CC wrong

so was not really looking for the issue they just stood out when using the normal features of the site.

I feel as ethical hacker I should tell them but on the other side I feel they think I am after something or been trying own them or something and end up doing more hard than good.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Apr 02, 2012 11:56 am

Re: Disclosing web application issue

I was hoping your reasons were as such.

Either way, it's up to you if you want to discuss with them, or not.  Again, just note, that if you weren't asked or contracted to analyze them, you'd better be ready to play really dumb when they ask you why you were posting dummy credit card numbers, etc.  They could 'possibly' interpret that as credit card fraud, as well.  (Depending on where you stored it, and why...)

Just be cautious...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

millwalll

Post Mon Apr 02, 2012 11:59 am

Re: Disclosing web application issue

Yah that why I wanted to get some advice as didn't want put my two feet in it and end up getting into trouble for trying to be helpful.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Apr 04, 2012 12:40 pm

Re: Disclosing web application issue

I suggest you contact them in an officially looking e-mail where you point out that you haven't attacked them but rather observed how their website function and that the current structure is insecure. Make sure you point out you're doing it for free and that you're not selling any services. (Otherwise they might see it as blackmail, I've experienced that on a few occasions where I even stated it was free.)

Also, you can write to the webmaster or perhaps if they have a security department those as well, but usually you get the fastest response and activity via HR. When I've contacted administrators directly I've mostly been met with hatred or ignorance. In some cases my direct contact with e.g., the webmaster has been much appreciated though.

Some companies may take this as a personal insult or attack as well, so be prepared for whatever response they come up. Some will also say they're going to fix it, and then it won't get fixed, even a year after, and we're talking about quite serious vulnerabilities here too.
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software