From: Dragos Ruiu (dr@pacsec.jp)
Date: Thu Oct 05 2006 - 14:50:52 EDT
On Thursday 05 October 2006 10:59, bugtraq@cgisecurity.net wrote:
> >> Sound like you need to consider your response. I'll let the lawyers
> >> correct me, but AFAIK unless the thing you are pointing them at
> >> contravenes some laws, merely posting something with a cross site
> >> reference to a site does not constitute prohibited behaviour anywhere I
> >> know of, and there are many legitimate contexts to be doing this in (as
> >> well as the unitended ones) and intentional reasons why some sites
> >> explicitly allow this (for better or for worse).
>
> If that is what he did then yes. However if you read the email you'd know
> he did in fact test it (in his words), more below.
>
> >> Maybe you need to consult your lawyer :-).
My point exactly is that _testing_ XSS is not necesarily malicious or illegal.
Which is what you were implying. Using it to plant malicious content is
another matter, but lets not go around trying to criminalize rattling a
doorknob to see if it is locked.
cheers,
--dr
-- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 27-30 2006 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT