Web App Pen Testers

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,947 Admin
    So what keeps my ISP (Verizon) from cancelling my account for attempting to hack into Facebook? Maybe people should do it anonymously from Starbucks. And there's got to be a contract to sign with Facebook stating the rules of engagement.

    These types of offers may be small change money-wise, but if you do get paid for finding something, you can brag about it on your CV, and that's a great way to start a career as a pen tester.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    JDMurray wrote: »
    So what keeps my ISP (Verizon) from cancelling my account for attempting to hack into Facebook? Maybe people should do it anonymously from Starbucks. And there's got to be a contract to sign with Facebook stating the rules of engagement.

    These types of offers many be small change money-wise, but if you do get paid for finding something, you can brag about it on your CV, and that's a great way to start a career as a pen tester.

    You're crazy if you don't get a signed document. If you decide to do it at Starbucks, make sure you read the fine print before you load BackTrack icon_wink.gif
    Currently working on: Linux and Python
  • chrisonechrisone Senior Member Member Posts: 2,146 ■■■■■■■■■□
    This is also dangerous for facebook, say you deliberately hack and bring them down or deface the website. You get caught, and sued, you easily have an out clause because you can say you were trying to help facebook and possibly get paid for your work. icon_lol.gif

    I saw this as an immediate get out of jail free card for anonymous or LULZsec or any other hacktivist groups. It can also be a form of entrapment by Facebook.
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
    2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    "We worked with several third-party groups to ensure that the language in our policy protects researchers and makes clear our intent to work with, not punish, those who report information," Sullivan wrote.

    The Electronic Frontier Foundation, an advocacy group that often weighs in on Internet-related legal issues, is a fan of that approach.

    "We hope to see others follow Facebook's lead and go even further," the EFF wrote last year about Facebook's security policy. "The more transparent companies are about their approaches to vulnerability disclosure -- and the more they encourage users to come forward -- the more often they will learn about problems that need to be fixed."

    Obviously that isn't going to help you with your ISP, but seems there is some sort of policy to cover your butt. Always look at the fineprint, I'd have to read the security policy to see how you are suppose to identify yourself as a professional or researcher. Loved to see someone get caught and using testing as the excuse:

    Cop: "So you broke into your ex's Facebook and called her nasty things?"
    You: "Um it was a security audit I was doing and I found a bug"
    Cop: "Did you report the bug?"
    You: "Um, as soon as I get out of here I will, promise I intended too!"
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • hiddenknight821hiddenknight821 Member Posts: 1,209 ■■■■■■□□□□
    Even if I'm an InfoSec pro, I would rather not participate in this. If the anonymous finds out that you are helping them out, then you are probably screwed. That's just my theory.
  • alan2308alan2308 CISSP, MCSA 2008, MCSA 2012, CCNA R&S, CCNA Security Ann Arbor, MIMember Posts: 1,854 ■■■■■■■■□□
    Sounds like Facebook getting worried now that Anonymous has announced that they're coming for them.
  • idr0pidr0p Member Posts: 104
    1.) It says they give you money for finding BUGS not exploits there is a difference they are not asking you to hack them.

    2.) It actually is a good more on facebooks part. they get "scanned" all the time by random people anyway might as well learn from them. I relate it do documentries where people are doing stuff illegal.. they are protected for educational purposes.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,947 Admin
    idr0p wrote: »
    1.) It says they give you money for finding BUGS not exploits there is a difference they are not asking you to hack them.
    Anything present or missing in a hard/software system that the designers and implementers didn't intend is considered to be a "bug." Therefore, assuming the designers/implementers didn't intend to create exploitable aspects of their system (i.e., vulnerabilities), all exploits are considered proof of the existence of bugs. One could say the true 'hackers" of any system development group are the people in Quality Assurance, who are constantly trying to break (i.e., "hack") what the developers are building.

    So go forth and "QA" Facebook--but only with permission, and by following Facebook's rules.
Sign In or Register to comment.