How to notify someone of a vulnerability.

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

How to notify someone of a vulnerability.

Post by capflyboy on Fri Jul 08, 2011 5:56 pm
([msg=59579]see How to notify someone of a vulnerability.[/msg])

Well, as you guys have probably guessed from above...
I have decided to commit myself to white hat hacking.
I have learned how to perform SQL injections.
But my next question is, how can I notify someone that they are vulnerable?
Do I just send an email, "Hey, heads up, you're hackable.... or you have an SQL error...." etc etc.
What would be a decent and professional way to do this?
Let me tell you though.
My first injection was awesome. (<------ LMAO)
My friends dads website happened to be vulnerable.
So with his permission I performed an SQL injection.
It took me about 40 mins.... I feel like thats a long time though.
But anywho. Let me know what you all think.
capflyboy
New User
New User
 
Posts: 17
Joined: Fri Jul 08, 2011 12:26 am
Blog: View Blog (0)


Re: How to notify someone of a vulnerability.

Post by Rijnzael on Fri Jul 08, 2011 7:19 pm
([msg=59581]see Re: How to notify someone of a vulnerability.[/msg])

If you find a security vulnerability in a system without having been asked to, you're generally opening yourself up to liability. You never know when you're going to hurt someone's fragile ego by finding an issue in their code. If you want to be a white hat, get hired to a security consultancy or the security team of an organization.
Rijnzael
Poster
Poster
 
Posts: 164
Joined: Sun Apr 13, 2008 10:12 am
Location: 128.0.0.0/8
Blog: View Blog (0)


Re: How to notify someone of a vulnerability.

Post by r-ID on Fri Jul 08, 2011 7:27 pm
([msg=59583]see Re: How to notify someone of a vulnerability.[/msg])

If you hack without permission, your actions might be interpreted as illegal activities, even if you mean no harm. I recommend to hack without permission (avoid any potential damage), hide your ass and email about the problem. Minimum damage, maximum learning (most important part) and medium safety. Asking permission decreases learning process, harder hack increases damage (and safety) and hiding your ass is just for insurance.
If you don't wanna take any risks you could always ask for permission and maybe to get some $ too, but learning process might not be that good, asking for permission takes some time and you don't have all the freedom like choosing any target etc.
r-ID
Poster
Poster
 
Posts: 172
Joined: Mon Dec 29, 2008 6:04 pm
Blog: View Blog (0)


Re: How to notify someone of a vulnerability.

Post by capflyboy on Sat Jul 09, 2011 3:49 am
([msg=59593]see Re: How to notify someone of a vulnerability.[/msg])

Yeah, I can see where you're coming from.
I'd rather learn more.
Thats what this is all about after all.
All of this would be pointless if we didnt learn.
I'm going to look into learning some about XSS vulnerabilities.
As on now, I just wanna master this SQL stuff first.
I can see how it would and is useful to the black hats and stuff.
I mean, if you get into the admin account, couldnt you edit the whole script to the site?
I mean, malicious code, and stuff like that...
Or am I mistunderstanding what an SQL injection is for?
capflyboy
New User
New User
 
Posts: 17
Joined: Fri Jul 08, 2011 12:26 am
Blog: View Blog (0)


Re: How to notify someone of a vulnerability.

Post by r-ID on Sun Jul 10, 2011 8:22 pm
([msg=59625]see Re: How to notify someone of a vulnerability.[/msg])

Depends on what you mean by "admin account", when you say admin account i think of login information on some kind of CMS, and CMS functionality is limited. You should tell root account or rooted if you mean total control of the box.
What SQL injection does it allows you to execute sql requests, so it can be used in many forms:
You can bypass login information without knowing a pass
You can retrieve any allowed data from database and to find the actual password (most common hack)
You can write to files or read files (/etc/shadow for example, if httpd runs on root)
You can even execute remote commands.
What you can do and what you can't mainly depends on database setup.
r-ID
Poster
Poster
 
Posts: 172
Joined: Mon Dec 29, 2008 6:04 pm
Blog: View Blog (0)


Re: How to notify someone of a vulnerability.

Post by capflyboy on Mon Jul 11, 2011 1:01 am
([msg=59632]see Re: How to notify someone of a vulnerability.[/msg])

Alrighty, cool.
And yeah, thats what I did.
I got did the SQL and got the "user" table off my friends dads website.
And I have a program that searches for login pages to the site.
I was surprised to see the admins login page for the whole site.
I could have literally changed anything.
But since my friends dad agreed to it, I wasnt about to destroy his stuff anyways.
Thats not what I'm out there for.
Thanks for the help man.
capflyboy
New User
New User
 
Posts: 17
Joined: Fri Jul 08, 2011 12:26 am
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests