Just a friendly reminder, but just because someone says you are free to test their site's security does not make it legal. In this case the site is hosted on a server that *is not owned* by Kataclysmic. And due to this post from another thread:
Check back on the 20th. Host shut me down because of SQLi attempts by people
I have reason to believe the hosting company takes security threats fairly seriously. So for the legal safety of those involved, think twice before you start throwing apostrophes in random input boxes.
For the sake of posterity I am going to quote Kata's first post and the "Welcom HTS" comment in the site's source code. In case anyone comes a-knockin' on your door with a warrant, you can point to this thread as your intent. That doesn't make it a Get Out Of Jail Free card, but if it is documented that we are trying to help him improve his security as a group, there's a good defense or at least mitigating factor in there.
October 16, 2013:
Kataclysmic wrote:Alright so first off there is a comment on the home page that says <!-- Welcome HTS --> You may hack this site. However I would prefer that no one attempts anything on the feedback page because I would then have to manually delete all posts on the page. If you do find something please let me know! Thanks everyone.
If you would like if you do manage to hack this site
let me know and I can add something in the news section about it and mention your name or you can stay anonymous.
Proof of ownership:
- Code: Select all
<!-- Welcom HTS -->
<title>LawOfCode | Home</title>
Now you may think I am being paranoid here, but having been through the legal system I can say for certain that they will use anything and everything against you. Businesses have an understandable concern for the code their clients execute, and it is in their best interests to prosecute. You may not agree with it, but from a business standpoint it's a great idea.
Establishing a "Cover My Ass" document such as this provides the court with exactly the sort of thing you should ideally have in a contract in a pentest. You want to have the scope, target, duration, etc etc spelled out in plain English so that if the company tries to claim you stepped out of bounds, you have a piece of paper they signed that says otherwise.
Now obviously this is not an official contracted pentest, this is just someone who has a site and wants us to test it. Now there could be people out there who mean to do harm, but we are not those people. We are legitimately interested in improving the security of our members, and testing our own knowledge at the same time. This should not be punished, but at the same time you need to be careful with this sort of thing.
On a closing note, just in case this post ever does become relevant, I'd like to emphasize that this site is here to teach and improve, not deceive and corrupt. Yes the techniques discussed can be used for malicious purposes, but security is a double-edged sword. Without teaching people how to properly defend themselves, the current state of the Internet would be a vastly different landscape.
And as always, question everything and trust no one.