= Recruitment = A couple weeks ago i received an email from the http://scanalert.com recruiter who saw my resume and invited me to interview at ScanAlert. I emailed back and called the recruiter the next day to see what the position entailed. It was for their "ethical hacker / penetration tester" position, which is still posted on their website. I was curious so I thought I'd see what it's like there, having never worked in a "corporate" security environment, but instead for smaller businesses. I talked to the Vice President of Engineering, Ben Tyler, and he offered a challenge on a fake website: [code] In our fictitious web site, one or more of the following vulnerabilities may exist: Cross Site Scripting SQL Injection Directory Listing Path Disclosure [/code] They wanted me to send an IP back to open up the url to me for 24 hours, but before I did that I was bothered by their apparent "find all the vulnerabilities and slap a sticker declaring it safe" mentality, so I took a look at their own website and in a few minutes happened upon an interesting XSS vulnerability that let me inject html attributes into a link. [code] https://www.scanalert.com/Link?url=http://scanalert.com%22+onclick=%22alert('hi'); [/code] = Response = I replied back with the following: [code] Hi Ben, In reaction to your challenge to break into a fictitious website, I must challenge you to secure your own website: When your recruiter contacted me for a position as a Professional / Ethical Hacker / Penetration Tester, I was curious about the idea of being employed by scanalert, however, I have had some doubts when you said "find the vulnerabilities". The use of a definite article led me to believe that there might be a culture of "finding all the vulnerabilties" in websites, declaring them secure, and then slapping stickers on them. There is no question as to the value of security auditing, but it is just that, an audit, not a guarantee. Questioning the efficacy of such a culture, I decided to test its value by checking your website for basic vulnerabilities. In a matter of minutes I discovered the above vulnerability. The "Hacker Safe" concept should be thought of as "Hacker Safer". Now, I do acknowledge that perhaps I read too much into your wording and that indeed, a culture of progressive security may yet exist at scanalert, so I'm still interested in pursuing this position, but I need some reassurance that a culture of asymptotic security thrives at scanalert, that the Hacker Safe logo really means, internally, Hacker Safer, and that I too will be able to gain progressive experience in novel and interesting security techniques while employed at scanalert. Seth [/code] = Confirmation = No reply came back, but five days later, I noticed they fixed it, but poorly. The following link still worked: [code] https://www.scanalert.com/Link?url=javascript:alert('hi'); [/code] For a security website, I was disappointed that they couldn't fix the entire vulnerability, so I looked around for a few more vulns and sent them a more detailed report listing more things things they probably wouldn't want their code to be doing, including an information leakage vulnerability and how their login form works well with XSS vulns to promote privileges automatically. They still haven't completely fixed the vulnerability, despite it being five days later, again, so I'm publishing this blog entry to expose their inability to manage their own security.