This is a great article to spur additional discussion in the community with
regards to disclosure of web application vulnerabilities. Much better than
that "pot stirring" article written by Marcus Ranum that others have quoted.
There are too many inaccuracies and leaps of faith taken in that article to
even begin to debate it. (*Which is why I will stay out of that thread*)
The primary difficulty when attempting to create a "responsible disclosure"
policy for web applications is that the applications themselves do not
reside on the system of the person conducting the assessment. It's somewhat
akin to finding a vulnerability in an ftp daemon on a remote machine. You
can download and install the particular ftpd on your own machine and pop the
daemon to your hearts content, but legally and (arguably) ethically you can
not research the vulnerability and execute the exploit against the target
machine without consent from the target application owner. Does this apply
to web sites in a similar manner?
How do web sites play into this? With MOST websites, the majority of the
code is run remotely, the site is a service that is run by the remote
entity, and typically (not always) there is no EULA or TOS presented to the
generic user (read non authenticated user). The thing that holds back the
creation of a policy is the legality of testing in such an environment.
Sure, if I can download and install that application locally in my own
environment I can assess and release vulnerabilities using any disclosure
policy that I choose. But if I can't install it in my own environment do I
have the legal rights to type a tick mark into an input box and view the
resulting error pages? That is the real question. (* And hopefully we won't
travel down THIS huge rathole again <GRIN> * )
If we could get past the legal hurdles, then it would definitely be possible
to author a similar policy to RFPolicy and/or the Wysopal/Christy
"Responsible Disclosure" policy. However, without the legal precedence being
set as to what is illegal testing in the first place, the policy becomes a
moot point.
-t
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx]
Sent: Wednesday, January 10, 2007 1:48 PM
To: Web Security
Subject: [WEB SECURITY] Disclosure for Web Applications
A great article discussing vulnerability disclosure as it applies to
web application security.
The Chilling Effect
http://www.csoonline.com/read/010107/fea_vuln.html
Regards,
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]