RE: [WEB SECURITY] Disclosure for Web Applications

[Bill Newton <bnewton@xxxxxxxxxxxxxxxxxxxx>]

txs has an interesting point. Is it legal to put a tic mark in any text 
box on any website on the web? While, I'm sure some site owners might 
consider that an attempted bypass of their security and therefore 
illegal, Couldn't it also be considered my legal right as a consumer? If 
I am going to be using a website, shouldn't I have some sort of 
assurance that it doesn't expose me to any vulnerabilities, especially 
if I'm going to store or access sensitive financial information?

Lets think of a similar real world situation,because thats what a judge 
might use to determine the legality of any actions. If I'm looking for a 
new bank to open an account with, what assurances can I have that my 
money will be safe there?  I can walk inside and "case the joint"( ie 
look for security guards, cameras, and anything else visible to the 
naked eye from the typical bank visitor's point of view),  but I don't 
think they will let me walk up to the safe and try cracking it, count 
the money available to the clerks, or inform me of the armored car 
pickup schedule. Now how do I know, the parts I can't examine are safe? 
I can ask them about their insurance for theft, but  thats about it. If 
there is a physical robbery, I hear about it on the news. If it gets 
robbed often, I know that its not a safe place for me to visit and they 
pay for the crime through higher insurance rates.

Now,  how does this translate to a real world example? I think anything 
done from a web browser, has to be viewed in a similar light as just 
walking around a bank lobby.  I should be able to report any 
vulnerabilities  with out fear of  retribution, so long as they are 
limited to proof of concept demos, just as I imagine I would not be 
arrested for reporting to the bank manager that the security guard was 
drunk, or if a loan manager  left a pile of money sitting on his desk 
while he took a lunch break.  Understandably, things become murky at 
some point beyond this. What exactly constitutes safe cracking on the 
web? If I launch a dictionary attack on the user name / password field, 
DDOS, or use a XSS flaw for phishing, then I would expect some legal 
trouble. I'm not sure about things that go beyond the web browser 
interface. I wouldn't feel comfortable scanning for vulnerabilities 
beyond the web interface, but I'm also more of a developer than any kind 
of  "security researcher". So, if I were prosecuted after reveling a 
vulnerability, I think I would have a more difficult time trying to 
prove the legitimacy of my actions.


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]