Hacker News new | past | comments | ask | show | jobs | submit login

Likewise, my story about how I got into and out of security: it really just takes basic programming knowledge, understanding reverse engineering concept, and constantly testing shit.

When I got kicked out of college for my hack (rm https://news.ycombinator.com/item?id=5090007) all I did was spam URLs with different IDs and test if they returned 200 or 404.. and bam press coverage + job offers. Sometimes the simplest of stuff can lead to nirvana.

I'm no longer in security since it was getting very addicted (I would start testing every website I'd visit for vulbs)..and I had to change and decided to jump into the startup world.

> ... I had to change and decided to jump into the startup world.

You don't have to choose one of them. I was in a similar position about 6 years ago, software + security background and passion for startups which led me to start my own company (https://www.netsparker.com/), we're building a tool to automate web app security and advancing the automated scanning in web apps, it's really fun stuff if you are into security.

Security industry is great for startups and new comers, another option is obviously working for a security startup, there are tons of them.

I've actually heard about your product, as someone was using it against a customer's app portal (on one of our servers). It didn't find an exploit per-se, but it helped us to discover a performance/DoS issue when it would occasionally start crashing + restart a vhost. So, indirectly, thanks for the great product!

Very cool, and indeed combining your strength and helping other ppl at the same time is key for a successful business. Best of luck with Netsparker!

> I would start testing every website I'd visit for vulbs

That's a pretty bad idea if you don't have permission from the owners of the site.

Permission is the enemy of a hacker. Us enthusiasts don't mean any harm and almost never perform tests that break the software (or network). There's a reason why bounty programs exist.

Us enthusiasts might end up in court and/or trouble for that. Do not do pen-testing on systems you don't own or have explicit permission to work on (such permission might be a bug bounty program or something to that effect).

Yes, there is a reason why bounty programs exist, they make it plain that testing is 'ok'. In absence of a bounty program or a relationship with the company you can't claim that you 'don't mean harm' and that your tests would never break the software or the network. It's going to be lumped in with actual attacks.

Not going to lie, every time I'm on a website with some sort of ID in the URL, particularly more obscure ones, I can't help but tamper with it. Try putting quotes in it, try making it a negative value or changing it to nearby values.

I've found a disturbing number of SQL injection and XSS attacks like this, just messing around on obscure sites.

I run a small business and have noticed our customers try to do the same sometimes, their user ID is visible in the URL at some points. I see the error logs saying they tried to load something they didn't have permission for at least a few times a month.

Do you think there's a serious legal risk here, assuming I don't perform any bad queries on the DB but just see an error message from it and assuming I don't give anyone an XSS'd link, just from plain toying with URLs?

One caveat: client side attacks like XSS that don't execute or break backend part are rather ok 100% of time

Simple example that this isn't true: an admin portal that shows requests and doesn't escape properly. Bam, you just broke their whole backoffice.

Simple refxss testing can easily fuck sites up; all the site has to do is stash a query input somewhere that gets rendered back out in JS to all users later (extremely common example: search results).

All the sudden every user on the site is getting alert popups.

A lot of these sites can calculate down to the second and the dollar how much they lose if their site goes down. Guess who's liable if the cause of that downtime is you?

Not even close to true.

At least non-admin XSS is much harder to define as "hacking" by a judge. Otherwise, writing something like "Send your password to ha@ck.er plz!" would be considered severe hacking attempt too.

I don't know what country you're referring to, but in US criminal law, there is no such thing as "hacking". There is only unauthorized use. Cases will turn on whether you should have known that your use of the site while testing for security bugs was unauthorized (short answer: yes, you should have known), and whether it caused damage.

But that's criminal law. That's a real concern, but the bigger concern is tort law. If you blow up someone's site by getting an XSS input cached and replayed to all its users (or, heck, even if you just cause an alarm that they have spend money responding to), you are going to be liable.

That's true. I myself would never poke around some corp. website w/o a bounty program

Then please don't indirectly tell others it is ok to do so. You could cause a lot of trouble for someone who sees you as an authority figure. Of course 'homakov said it was ok' is not a very good defense, but still, better not to encourage dumb/bad behavior.

Is it really? If I just point Burp Suite to some website they're going to come after me?

It depends. If you're testing Facebook, probably not. If you're trying to CSRF wire transfers through your bank, you might get a visit from the authorities.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact