Hacker News new | ask | show | jobs
by aaron695 4892 days ago
http://www.acunetix.com/blog/web-security-zone/should-you-te...

what can happen when production Web applications are tested including:

Email floods

Junk data inserted into databases

News feeds filling with random input

Log files filling up

Accounts getting locked out

Internet bandwidth consumption

Scans that take longer to complete

High server and database utilization

Incident response teams and managed security providers having to deal with alerts

Final cleanup needed after the fact
2 comments
aquadrop 4892 days ago
Still, all those things are caused by bugs in _your_ software. And all of that can be caused by regular users just hitting one of the bugs.
link
aaron695 4892 days ago
No they are not bugs, in any way, shape or form. I think you are missing the technology and ethos of website design here.

Web scanners do massive offensive attacks. They basically DOS attack your site in many ways, trying millions of attack vectors.

Mitigating against vandalism is very hard. It hurts users the more you do. Generally you leave it as open as possible and it is ok, since it's not a security issue per se and most sites can live their lives never having been attacked this way.

There's no money in vandalism and unless you piss off skilled or determined people it won't be abused.

Someone could write a script to cause thousands of $ damage to wikipedia without much trouble. But wiki chose's to leave itself open and take the risk. They don't have a bug. They are trying to do the right thing by users.

link
aquadrop 4892 days ago
> No they are not bugs, in any way, shape or form. Maybe not all, but some of them are.

I think you mentioned different issue here, puerto called unauthorized check 'unethical' and you talk about performance. If Mr. Al-Khabaz used some noninvasive scanner, which didn't bring any serious technical overhead, is it ok by you?

> Someone could write a script to cause thousands of $ damage to wikipedia without much trouble. But wiki chose's to leave itself open and take the risk. They don't have a bug. I don't really understand what do you mean when you say 'open', open to what? But I think wiki has some protection mechanisms, because at their scale if someone could easily bring them down, someone would.

link
aaron695 4892 days ago
As per my link to a direct article by the makers of the scanner he used, it is invasive. What more do you want?

Yes, passive scanning is fine with me, it's probably legal in most countries, but this is not certain (See Google and wifi). But I don't see the relevance to the conversation.

Passive automated scanning is fairly useless so it's not really used.

Fact is he broke the law at a criminal level and caused damage, if you can't see this, you really have no idea of the reality of the technology he was using.

But what should happen to him for it is a discussion for a different thread.

link
puerto 4892 days ago
I agree. But _any_ kind of hacking exploits some kind of a vulnerability in the system. The presence of the bug doesn't give you right to exploit it.
link
puerto 4892 days ago
Yeah, those things also.. ;)
link