lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Feb 2012 00:05:28 -0500
From: Luis Santana <hacktalkblog@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: posting xss notifications in sites vs
	software packages

Typically if you are in the US, are testing a server in the US owned by a
company headquartered in the US it is legal to find Reflective XSS so long
as you don't crash any services. Crashing any services can be seen as a DoS
attack and then you are screwed. Moreover if you crash a service and cost
the company more than 5k USD then you have a risk of the FBI trying you for
cybercrime.


*I DO NOT CONDONE TESTING SITES YOU DON'T HAVE PERMISSION TO TEST*


On Wed, Feb 8, 2012 at 9:23 PM, <Valdis.Kletnieks@...edu> wrote:

> On Wed, 08 Feb 2012 17:30:18 +0100, Info said:
> > A general question: is it legal to search for XSS vulnerabilities on
> > custom websites ?
>
> Yes. No. Maybe. Depends where you live, where the web server is physically
> located, and where the corporate headquarters are.  In the US, the law you
> need to worry about most is 18 USC 1030:
>
>
> http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
>
> "... having knowingly accessed a computer without authorization or
> exceeding
> authorized access, and by means of such conduct having obtained
> information..."
>
> It's going to come down to whether the jury believes the prosecutor's
> version
> or your version of what "exceeding authorized access" means - which is why
> professional pen testers make sure they get a "Get Out Of Jail Free" card,
> and
> negotiate rules of engagement (what's allowed, what's not) as part of the
> contract.  You amature pen testers are on your own. ;)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists