I give a contract to find vulnerabilities in my site to a white hat hacker. According to him he performed several attacks on my site for 15 days and find that there is no any security threats. I am not sure he actually did this or not. How can I validate his report?

  • 1
    You can try by not paying up to confirm that your site is not vulnerable :) – Question Overflow Jan 24 '15 at 11:07
  • 2
    Just speaking from experience, almost any type of pen/intrusion test will come back with some feedback. These might be low priority FYI's, false-positives, etc. but there's always *something*. – Steven Jan 24 '15 at 19:06

3 Answers3

  • Trust is a prerequisite: Even before signing the contract allowing a third party to try to break into your server, there should be a minimum background check regarding who you employ for the job (where do he comes from, what company he is working for, how much experience he has, which certification does he and his company have, etc.),
  • Check your logs: After the attack, even-more if he claims he failed to find any security vulnerability (so he did not had a way to alter the logs), his thorough checking should have left clearly noticeable tracks in the logs.
  • 19,082
  • 4
  • 58
  • 104
  • Thanks for valuable suggestion. At the server side we do not save client's IP using our code. Except of public_html folder where can i found logs? – Mohit Gupta Jan 25 '15 at 05:47

As previously stated, check your logs. You could also try asking for the output of his tools, is burp logs etc. He should have kept record of the attacks performed and returned data. No findings seems very unlikely to me, even on the simplest website with a hardened server there are usually some best practice findings like cookies without httponly/secure flag, user enumeration, server version disclosed, default content present, weak SSL settings and more.

  • 5,745
  • 2
  • 17
  • 26
  • Indeed, vulnerabilities found or not, the "white hat hacker" should in all case provide a comprehensive report stating precisely which tests have been done, why, and what were their results. – WhiteWinterWolf Jan 24 '15 at 11:13
  • That solely depends on the agreement of the deliverables of the test.:If you agree on only directly exploitable vulnerabilities, indirectly exploitable vulnerabilities like the ones mentioned above may not get reported. – Gumbo Jan 24 '15 at 13:43

When you hire a company to do pen testing and vulnerability assessment you should have signed and checklist of everything you want them to test. This will act for the tester as a roadmap of what they can test. A lot of pen tests have the possibility of either taking the server down via Denial of Service (DOS) or corrupting/changing data via XSS/SQL Injection (SQLI).

So basically the contract signed to allow them to test the website should define and outline everything tested.

The onlyway to validate this with it showing "no issues" is that you check your logs. You should be able to get an external IP that they used when they were doing this testing and that will help narrow down what logs you need to analyze as you can filter them from that source.

I hope this helps!

  • 71
  • 3
  • As a side note the only difference between a white/gray hat is really that piece of paper stating that the tests they'll perform are authorized. Without that paper and regardless of the intent of the individual performing the tests it is legally considered malicious. – lbakerit Jan 24 '15 at 21:41