Saturday, May 10, 2014

Pentest - Unexpected invitation

July, 2011, reading one portuguese blog like I always do, I've found a special invitation.
Chuck, let's name it that way, had a website.
Chuck also believed that homemade CMS code was better than opensource CMS, whose source code is available for everyone to study.
Chuck made a little mistake, he openly invited everyone on the blog to test his website security.
So I did, but not before wandering around Google searching for his nickname on developer forums.
And Chuck's posts came along with some questions about PHP and MySQL.
Based on some questions content, I knew Chuck wasn't so sure about the security of his code.
I've registered on the website and started to study it, minutes later already had SQL injection points among admin access.
Time to ring Chuck. Chuck is a very friendly guy, and after this "incident" we started to chat on a regular basis.
He did great changes in the code and the website itself.
Later, Chuck asked me again to pentest the newer version. Oooops, here it goes again, SQLi.
Fixed and solved in a question of minutes. I now believe Chuck's website is more secure than it was ever.
Also, we became online friends helping each other when needed.

So, there are two things that wannabe-hackers should learn from this story.

  • Always have permission from the owner/developer to test some website.
  • Always report what you have found and don't take advantage of it without giving the needed time for the developer to fix the bug.

Which brings us to another portuguese website... Will write about that later.

No comments:

Post a Comment