Typically if you are in the US, are testing a server in the US owned by a company headquartered in the US it is legal to find Reflective XSS so long as you don't crash any services. Crashing any services can be seen as a DoS attack and then you are screwed. Moreover if you crash a service and cost the company more than 5k USD then you have a risk of the FBI trying you for cybercrime.
*I DO NOT CONDONE TESTING SITES YOU DON'T HAVE PERMISSION TO TEST* On Wed, Feb 8, 2012 at 9:23 PM, <[email protected]> wrote: > On Wed, 08 Feb 2012 17:30:18 +0100, Info said: > > A general question: is it legal to search for XSS vulnerabilities on > > custom websites ? > > Yes. No. Maybe. Depends where you live, where the web server is physically > located, and where the corporate headquarters are. In the US, the law you > need to worry about most is 18 USC 1030: > > > http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html > > "... having knowingly accessed a computer without authorization or > exceeding > authorized access, and by means of such conduct having obtained > information..." > > It's going to come down to whether the jury believes the prosecutor's > version > or your version of what "exceeding authorized access" means - which is why > professional pen testers make sure they get a "Get Out Of Jail Free" card, > and > negotiate rules of engagement (what's allowed, what's not) as part of the > contract. You amature pen testers are on your own. ;) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
