I've been thinking that some sites when tested, vulnerabilities come to light. However,how deep should we test?

Example: Site has weakness which allows reading of arbitrary files on the remote server

is it ethical to see how far we can break the system i.e. read remote file which contains SQL passwords .htpasswd files or should we just realise that Yes, we can read any file which that remote application has access to, and inform the administrator

which brings me to another question, how does one protect themselves from being accused of hacking. A talk i went to recently suggested that in some cases even testing for simple sql injection could be classified as criminal even if it's just a ' or 1=1-- type query in a form. Any thoughts are appreciated

Don't forget about this little incident http://www.securityfocus.com/news/11341 putting a simple ../../../ got him arrested.

I'm assuming that's a provision or law enforced in Europe?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Unless you have been contracted to do the testing, the answer is that you shouldn't test them. You can't draw an imaginary "ethical line" at what you come across while trespassing. Either you are doing something ethical or you aren't. If you were contracted to do testing, guidelines are usually established (of the nature of don't bring down any critical systems... intentionally) before your testing begins.

If you're not contracted to it, you are in the ethical 'wrong' to begin with so why draw a boundry anywhere?

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

Well Jib, I suppose that ethically, if you don't have an agreement with the site's owner, you are already crossing the ethical boundary,

The more interesting issue like RSnake suggested was how to prove innocence or intent on the web. You see many reports of people's PC being infected turned into zombies for spamming purposes/ DDoS, It could also be used as a launching platform for hacking.

In court how can you prove that the attack wasn't initiated without your direct knowledge. I was at a recent talk that suggested it would only be possible with the use of expert witnesses, in that case it would still be the benefit of the doubt that would get you off, because they could not prove you did not collaborate or self infect your computer

Such simple directory traversal. These things can be found through google alone, so if one clicks on it, you sudden got "unprivileged access" ? When they talk about "the Computer Misuse Act" I really laugh about that one, obviously they forget who invented the computers and the whole internet as result; hackers. And so they punish the hand that feeds them.

The many times I did this, I should be sentenced to life I guess :)

So, if you were to break into somebody's house, but you just were looking around, not taking anything... you're saying you shouldn't get in trouble?

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

No, you should get in trouble since you did intrude. However, just peeking in through the windows or knocking on the door should not get you in trouble. As for the fine line between whats inside the house or whats viewable from the windows, I can't tell you =oP

Touche!

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

As anyone who does professional pen-testing could attest to, boundaries should always be clearly defined before a pen-test is performed. You, as a tester, need to know where you can and can't go in your testing...You have to operate within the defined "sandbox" you have been assigned.