[hn-miw-i]

Problem is he used an auditing/penetration testing tool POST disclosure, and did it without authorization. The availability of these tools puts weapon grade exploits in the hands of those with limited understanding of the consequences. I don't have an issue with the availablity -- best we lighten our history with Full Disclosure and provide best of breed tools to simulate attackers -- however, responsibility and individual accountability is at an all time low. These tools will light up the alarms immediately and the user will have limited understanding.

Let's assume it was not SQLi but an authorization application logic bug ie: by changing parameter passed by browser allowed access to whole record set. He did the right thing and told the vendor -- but after the fact he ran a tool that probably simulated SQLi on every damn parameter! Like smashing a car window after telling the owner he has left it unlocked.

Even a brain dead sysadmin would notice it In the logs, and likely whatever SIEM would fire a high priority alert.

He did this without auth and the company did the right thing here. In this post aaronsw world we can't just assume that every n00b clown whitehat hacker is totally innocent of all crimes even if done with the best intentions. People need to take responsibility for their actions. An ignorant click can be just as criminally negligent as stabbing a dude in the face.

[Dylan16807]

What is with all these analogies that equate testing with smashing things.

Stop it.

Stop. It.