tags:

views:

113

answers:

3
+5  Q: 

Can I get into trouble for identifying vulnerabilities in someone elses website?

Is it possible to get into legal trouble for identifying vulnerabilities in a web application even if you don't exploit them?

I have considered using tools like NetSparker on occasion to see if a site has any vulnerabilities and I'd like to contact the owner of the site to see if they'd be interested in me fixing it. I suspect that some of these people might get angry or misinterpret my intentions and I'm curious if I could get into any trouble for simply finding these security issues.

A: 

You shouldn't get into trouble but depending on how big of a prick and who gets embarrassed and who feels threatened you could easily turn into the next Adrian Lamo.

 2010-07-06 20:15:28
Screw Lamo, that nark should be thrown in jail.
Rook  2010-07-06 20:19:40
There's others with similar stories all over the place, I just picked someone who was in the spotlight recently. Yeah, he was involved in wikileaks, but he also helped close a serious exploit that could have brought down most of north america in the proper hands and got in trouble for telling the authorities about it. Remember Captin Crunch? They were afraid he was going to whistle nuclear launch codes into a pay-phone.
 2010-07-06 20:23:09
A: 

What one can get into trouble doing often comes down to what "they" can convince a judge. It's certainly possible that a company can see such an act as a genuine attack (the wrong person in the company gets the wrong idea and yells loud enough about it) and seek some kind of damages from you. Just remember that "being right" or "being reasonable" or "making sense" don't really mean much in the US legal system (assuming US here).

That said, as a developer I absolutely encourage vulnerability testing and reporting back to the developer for the product being tested. But, unfortunately, you should tread carefully.

David  2010-07-06 20:18:41
+7  A: 

If you are looking for vulnerabilities in open source software or commercially distributed software and you are a US citizen you are protected by the 1st amendment. It is legal for you to write exploit code and do whatever you want (as long as it isn't selling it to terrorists/the mob). If you do find a flaw, report it to BugTraq and put it on your resume. I have racked up a lot of CVE numbers over the years and I actively write exploit code.

In Germany and France the laws are a bit different, the possession of "hacking tools" like exploit code or even NMAP can land you in jail. You might also be interested in the laws of full disclosure.

On the flip side, if you go around scanning people's web sties looking for vulnerabilities you are breaking the law and the FBI will investigate you. Do not look for vulnerabilities in random websites without the owners permission.

Rook  2010-07-06 20:24:17
Thanks for the info. Is there any chance you could cite a source for what law this violates.
Abe Miessler  2010-07-06 20:28:05
You should offer your services as an exploit annalist of sorts and provide them with information on what you will do and how this will save them from problems in the future. Explain cost value here.
 2010-07-06 20:29:00
The boldface text bears repeating. If you use a tool like NetSparker against a site you don't control, you can be charged with a crime in the US (don't know about other countries), and you can go to prison. Even if you're trying to help.
Michael Petrotta  2010-07-06 20:29:47
@user257493 or how about I just go full disclosure watch a million sites go up in flames, because that perfectly legal in the US.
Rook  2010-07-06 20:30:29
@user257493, I agree this is a good idea. My thought is that you are much more likely to get a client if you KNOW there is a vulnerability already. Not worth it if you go to jail i guess...
Abe Miessler  2010-07-06 20:31:49
@Abe Miessler Your right, that could be a selling point. But in practice most people freak out and call the FBI. I'm not joking, I have seen people go down this path and get screwed, its not worth it.
Rook  2010-07-06 20:35:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security