11

I was spidering a website with Burpsuite and the automated Form Submission caused me to unknowingly deface the main page with "555-555-0199@example.com".

It took me a decent amount of time to notice but when I did I immediately worked to resolve the issue by finding an archive of the page and recreating the content by hand.

I doubt anyone but me noticed this, though I'm very concerned about the legality of what happened and should anything in the future happen would I be liable since it was just simple spidering of the website that caused this to happen...

QUEX0R
  • 113
  • 1
  • 5
  • 1
    Here: http://law.stackexchange.com/ . and I assume this is U.S.? – Pacerier Jan 21 '16 at 21:24
  • Thanks for the link, and yes I'm asking about U.S laws. @Pacerier – QUEX0R Jan 23 '16 at 00:08
  • It [looks like](http://meta.stackoverflow.com/questions/334121/strange-script-or-bug-while-reviewing-the-answer#comment393019_334121) somebody's been running Burp Suite against SO, too (and spamming the review queue with bogus edits in the process). – Ilmari Karonen Sep 09 '16 at 11:46

1 Answers1

27

Number one rule of penetration testing: don't do it on things that don't belong to you. Yes, it is merely a spider. However, people think wget is a scary hacker tool and the US govt. actually used that in a case. I appreciate that you rectified your mistake, and I think that reflects well on you. You have a few options here, depending on your moral beliefs:

  1. Honesty. Send the webmaster a note with what happened and how to fix it. This could go a few ways -- you either make a webmaster happy, you piss them off and get tangled up in it, or you get no response.

  2. Run away. Act like it didn't happen. The website will chug on and no one will be the wiser. Of course, someone may notice your activities in the web log, and they most likely will not be motivated to track you down.

To be quite honest, both of these are decent solutions. And in the future, don't run Burp against targets you don't have permission to test on. It saves everyone's time :)

Ohnana
  • 4,737
  • 2
  • 23
  • 39
  • 3
    Excellent answer. To add to this @quex0r please do the Burp training. There are many videos on Youtube outlining correct usage of Burp which emphasise the use of manual spidering over automated spidering. The scenario you have encountered has occurred many times before and this is why the automatic spider is not recommended. – 16b7195abb140a3929bbc322d1c6f1 Jan 19 '16 at 05:37
  • 2
    I would add that having at first unintentionally but perhaps recklessly made an unauthorised change to the website, the questioner then *completely intentionally* made another unauthorised change to the website. The goal was to be helpful, but among the reasons for the rule never to pen test anything without permission, is that you put yourself in a really difficult hole. Having broken the page you then have to choose whether to leave it broken (which allows the harm to accumulate) or to commit what could end up being another, perhaps more serious criminal act (trying to reduce harm). – Steve Jessop Jan 19 '16 at 10:45
  • 2
    @SteveJessop , that's a more legalist view. Since I am not a lawyer or prosecutor, I have the freedom to judge based on intention rather than a legal code :) – Ohnana Jan 19 '16 at 13:50
  • 3
    @Ohnana: oh sure, but avoiding a bad legal situation can become a matter of personal safety (and professional longevity) regardless of what the best possible outcome is for the site you found a vulnerability on. So I don't think anyone could be blamed for stopping as soon as the first thing went wrong :-) – Steve Jessop Jan 19 '16 at 13:52
  • 2
    Option 3: Send the webmaster an anonymous note [...] – Jorge Leitao Jan 19 '16 at 17:28
  • @J.C.Leitão, And say "*sorry, no harm intended*". – Pacerier Jan 21 '16 at 21:34