1

I like the idea of white hat hacking. That's why I'd like to become a pentester in the future. But now I like to learn a bit and was wondering, if it's legal to search for SQL injection, XSS and some other Basic stuff for webapplications, with the intention to report them to the webmaster.

If this matters, I'm from Germany, we have the so called "Hackerparagraph" (§ 202c StGB) which criminalizes the attempt of trying to break into a system or even develop such code/tools. Theoretically, a successful injection would be an act of crime.

But what is, if this is for a good cause? Should I fear that the admin will report my action to the police?

E.g if i write the admin an email like this:

Dear Admin,

I found a vulnerability for an SQL Injection on yout Page XXX. I had/have no intention to share this vulnerability with somone except you.

http://domain.de/site.php?cat=1&s_id=4818&p_id=13807&r_id=4&nr_id=647568+%27and+%271%27=%272%27+union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,version(),7,8,9,0,1,2,3,4,5,6,7,8,9--+

I'd recommend you to [explain various things about security]. I hope this helps you and your company to guarantee the safety of yours and your customers.

pguetschow
  • 750
  • 5
  • 16
  • Related, but in a different jurisdiction: http://security.stackexchange.com/questions/37310/is-it-legal-to-find-bugs-on-a-website-and-report-them-to-the-websites-owner – Anders Oct 24 '16 at 14:48

3 Answers3

5

As other people have already mentioned the practices you mentioned should be avoided, to stay on the safe side of things.

However, some companies have bug bounty programs in place that basically encourage and reward the report of vulnerabilities discovered on their platform (e.g. Google.) Also, there are platforms like HackerOne that aggregate bug bounties from different companies.

Of course companies that set up these bug bounty programs are usually very robust, so you'll have to try much harder to discover potential vulnerabilities.

κροκς
  • 151
  • 3
3

Regardless of your intentions, breaking is breaking, as long as it is deliberate. In other words, it is likely considered illegal in your country.

And no one is obliged to be audited without consent, except in cases and by actors defined by law, so the intent doesn't matter here.

What if, for example, your SQL injection has some side effects you didn't expect and damages the audited system? Or, what if your SQL injection fails (which is good) but triggers some legal action against you, as it is spotted by the admin in the website's log file?

I would, therefore, strongly advise not going that route. However, why not try asking admins before acting, explaining exactly what you explained in this post? Most will say no, but a few might say yes.

More about this:

Shlublu
  • 181
  • 5
  • Thanks for making this clear. I was wondering because I've read a blog where the owner found vulnearbilites in various sites, als in some federal ones and never han any problem. – pguetschow Oct 24 '16 at 11:43
  • @TechTreeDev Of course, cases like that exist. And even "thank you cases" exist. But you cannot expect them, definitely. I hope the course will be affordable soon - and there is the excellent and free OWASP Webgoat training app and course (https://www.owasp.org/index.php/WebGoat_Installation) you can use for learning in the meantime. This is deployed on your own local machine so completely legal and encouraged should your intent be good. Good luck! – Shlublu Oct 24 '16 at 11:46
2

I don't think it matters if it is for good cause or not. Just don't do it. If you book the Penetration Testing with Kali course from Offensive Security then you get a great lab where you can do all you like. In the real world, JUST DON'T DO IT. You may ask for permission to do it but I don't think anyone will take the risk to allow a completely unknown person an attack on their network.

Also keep in mind this: Whenever an illegimate attempt to break into a foreign network is detected and prosecuted, your professional reputation is lost forever. Not only in IT Security trust in your business partners is the most important asset.

kaidentity
  • 2,634
  • 14
  • 31
  • C&P from other answer: Thanks for making this clear. I was wondering because I've read a blog where the owner found vulnearbilites in various sites, als in some federal ones and never han any problem. Unfortunately, the course is not afordable at the moment. But I like the aspect you've mentioned how this could damage the proffessional aspect. – pguetschow Oct 24 '16 at 11:44
  • That other people do stupid things doesn't mean you also need to do that, right? – kaidentity Oct 24 '16 at 11:45
  • Right, that's why I was asking. – pguetschow Oct 24 '16 at 11:46