Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
how to get a list of websites that are likely to be insecure!
Posted by: Jeffuk
Date: January 06, 2010 04:50PM

Just a quick thing I picked up on a little while back I thought I'd put out there to see if it's really innovative, just common sense, or a bit of both.

Step 1: Find a broken website, one with lots of flaws, doesn't matter what the website does or what it's for.

Step 2: Look at the bottom of the homepage for 'Web Design By Alice Corp;

Step 3: Go to the Portfolio and news pages of 'Alice Corp' and stick 'Web Design By Alice Corp' in google.

Basically, extending the standard practice of finding a vulnerability in a publically available web application and looking for people who use it into finding a known-insecure web design company and seeing what else they've done wrong.

First attempt took me to a brochure-style company website with a buggy 'news' page to a list of e-commerce sites.


Just a thought,
J

Options: ReplyQuote
Re: how to get a list of websites that are likely to be insecure!
Posted by: diehard
Date: January 14, 2010 01:44PM

Good way. I always do the same

Options: ReplyQuote
Re: how to get a list of websites that are likely to be insecure!
Posted by: _Andy
Date: March 09, 2010 08:26AM

Or, do what some chinese guy/group did on the full disclosure mailing list.

Make a fuzzer, but host it online. Market it as 'the best free fuzzer' etc in all the usual sec places. Have people go to your site, point it towards their insecure LIVE sites, sit back and watch as all these 'security specialists' populate your datastore with huge lists of their live XSS/SQL inj holes.

When I saw it come up on the list I laughed my ass off and then watched in bemusement as everyone started to actually use it. They thought nothing of it, whatsoever.

Options: ReplyQuote
Re: how to get a list of websites that are likely to be insecure!
Posted by: thrill
Date: March 09, 2010 09:49AM

And if you give me your credit card number, I can verify that it's not being used fraudulently! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: how to get a list of websites that are likely to be insecure!
Posted by: SAS
Date: March 09, 2010 09:47PM

_Andy, that's fun for some lulz, but no lessons are learned there. Most pentesters will grab it and run it on some level of trust. I always make the distinction between hats (all colors) and pentesters, often pentesters are not versed in these things, since a lot of them are simply sysadmins or someone put in charge with a silly ISC2 / CISSP paper without any real world experiences. That said, most of them can't even read the code if the source comes along with it, let alone giving them an executable (which always is based upon trust)

Options: ReplyQuote


Sorry, only registered users may post in this forum.