Page 1 of 1

How to notify someone of a vulnerability.

PostPosted: Fri Jul 08, 2011 5:56 pm
by capflyboy
Well, as you guys have probably guessed from above...
I have decided to commit myself to white hat hacking.
I have learned how to perform SQL injections.
But my next question is, how can I notify someone that they are vulnerable?
Do I just send an email, "Hey, heads up, you're hackable.... or you have an SQL error...." etc etc.
What would be a decent and professional way to do this?
Let me tell you though.
My first injection was awesome. (<------ LMAO)
My friends dads website happened to be vulnerable.
So with his permission I performed an SQL injection.
It took me about 40 mins.... I feel like thats a long time though.
But anywho. Let me know what you all think.

Re: How to notify someone of a vulnerability.

PostPosted: Fri Jul 08, 2011 7:19 pm
by Rijnzael
If you find a security vulnerability in a system without having been asked to, you're generally opening yourself up to liability. You never know when you're going to hurt someone's fragile ego by finding an issue in their code. If you want to be a white hat, get hired to a security consultancy or the security team of an organization.

Re: How to notify someone of a vulnerability.

PostPosted: Fri Jul 08, 2011 7:27 pm
by r-ID
If you hack without permission, your actions might be interpreted as illegal activities, even if you mean no harm. I recommend to hack without permission (avoid any potential damage), hide your ass and email about the problem. Minimum damage, maximum learning (most important part) and medium safety. Asking permission decreases learning process, harder hack increases damage (and safety) and hiding your ass is just for insurance.
If you don't wanna take any risks you could always ask for permission and maybe to get some $ too, but learning process might not be that good, asking for permission takes some time and you don't have all the freedom like choosing any target etc.

Re: How to notify someone of a vulnerability.

PostPosted: Sat Jul 09, 2011 3:49 am
by capflyboy
Yeah, I can see where you're coming from.
I'd rather learn more.
Thats what this is all about after all.
All of this would be pointless if we didnt learn.
I'm going to look into learning some about XSS vulnerabilities.
As on now, I just wanna master this SQL stuff first.
I can see how it would and is useful to the black hats and stuff.
I mean, if you get into the admin account, couldnt you edit the whole script to the site?
I mean, malicious code, and stuff like that...
Or am I mistunderstanding what an SQL injection is for?

Re: How to notify someone of a vulnerability.

PostPosted: Sun Jul 10, 2011 8:22 pm
by r-ID
Depends on what you mean by "admin account", when you say admin account i think of login information on some kind of CMS, and CMS functionality is limited. You should tell root account or rooted if you mean total control of the box.
What SQL injection does it allows you to execute sql requests, so it can be used in many forms:
You can bypass login information without knowing a pass
You can retrieve any allowed data from database and to find the actual password (most common hack)
You can write to files or read files (/etc/shadow for example, if httpd runs on root)
You can even execute remote commands.
What you can do and what you can't mainly depends on database setup.

Re: How to notify someone of a vulnerability.

PostPosted: Mon Jul 11, 2011 1:01 am
by capflyboy
Alrighty, cool.
And yeah, thats what I did.
I got did the SQL and got the "user" table off my friends dads website.
And I have a program that searches for login pages to the site.
I was surprised to see the admins login page for the whole site.
I could have literally changed anything.
But since my friends dad agreed to it, I wasnt about to destroy his stuff anyways.
Thats not what I'm out there for.
Thanks for the help man.