Seth Woolley's Blog

Occasional Musings

Wed Aug 16 01:26:24 2006 -- scanalert

scanalert(0)

Recruitment

A couple weeks ago i received an email from the http://scanalert.com recruiter who saw my resume and invited me to interview at ScanAlert.  I emailed back and called the recruiter the next day to see what the position entailed.  It was for their "ethical hacker / penetration tester" position, which is still posted on their website.  I was curious so I thought I'd see what it's like there, having never worked in a "corporate" security environment, but instead for smaller businesses.  I talked to the Vice President of Engineering, Ben Tyler, and he offered a challenge on a fake website:

In our fictitious web site, one or more of the following
vulnerabilities may exist:

Cross Site Scripting
SQL Injection
Directory Listing
Path Disclosure

They wanted me to send an IP back to open up the url to me for 24 hours, but before I did that I was bothered by their apparent "find all the vulnerabilities and slap a sticker declaring it safe" mentality, so I took a look at their own website and in a few minutes happened upon an interesting XSS vulnerability that let me inject html attributes into a link.

https://www.scanalert.com/Link?url=http://scanalert.com%22+onclick=%22alert('hi');

Response

I replied back with the following:

Hi Ben,

In reaction to your challenge to break into a fictitious website, I
must challenge you to secure your own website:

<XSS exploit url here>

When your recruiter contacted me for a position as a Professional /
Ethical Hacker / Penetration Tester, I was curious about the idea of
being employed by scanalert, however, I have had some doubts when you
said "find the vulnerabilities".  The use of a definite article led me
to believe that there might be a culture of "finding all the
vulnerabilties" in websites, declaring them secure, and then slapping
stickers on them.  There is no question as to the value of security
auditing, but it is just that, an audit, not a guarantee.  Questioning
the efficacy of such a culture, I decided to test its value by checking
your website for basic vulnerabilities.  In a matter of minutes I
discovered the above vulnerability.  The "Hacker Safe" concept should be
thought of as "Hacker Safer".

Now, I do acknowledge that perhaps I read too much into your wording
and that indeed, a culture of progressive security may yet exist at
scanalert, so I'm still interested in pursuing this position, but I need
some reassurance that a culture of asymptotic security thrives at
scanalert, that the Hacker Safe logo really means, internally,
Hacker Safer, and that I too will be able to gain progressive experience
in novel and interesting security techniques while employed at
scanalert.

Seth

Confirmation

No reply came back, but five days later, I noticed they fixed it, but poorly.  The following link still worked:

https://www.scanalert.com/Link?url=javascript:alert('hi');

For a security website, I was disappointed that they couldn't fix the entire vulnerability, so I looked around for a few more vulns and sent them a more detailed report listing more things things they probably wouldn't want their code to be doing, including an information leakage vulnerability and how their login form works well with XSS vulns to promote privileges automatically.

They still haven't completely fixed the vulnerability, despite it being five days later, again, so I'm publishing this blog entry to expose their inability to manage their own security.

Seth Woolley's Blog webdevel reallife security

Leave A Comment

Secret is used for editing your own comment. If subject, secret, and name all are the same as a previous comment, it will be overwritten. Turing is the name of this program (look at the Source Code link on the front page), used to see if you are human.