Questions tagged [white-hat]

White hat hacking (aka "ethical hacking", or "penetration testing") is the act of attacking a computer security system for the purpose of finding and fixing vulnerabilities. It is the opposite of black hat hacking.

From wikipedia:

The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems. Ethical hacking is a term meant to imply a broader category than just penetration testing.

The main differentiating factors for white hat hacking is the aim to increase the security of systems by either creating patches for or notifying vendors about the vulnerabilities they discover.

White hat hackers will restrict their testing to systems they have permission to test, such as under a bug bounty program or penetration testing contract, and they typically do not sell vulnerability information for personal profit.

12 questions
83
votes
5 answers

How to proceed with a white-hat hacker claiming a vulnerability?

I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member. They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS…
Vcode
  • 866
  • 1
  • 5
  • 9
52
votes
3 answers

Could bug bounty hunting accidentally cause real damage?

If an application's code contains even minor and subtle inaccuracies, it can open up the entire database to SQL injection. In this example (see section 'Delete All Method'), the entire Users table gets deleted with a trivial SQL injection ("1) OR…
stevec
  • 1,214
  • 1
  • 7
  • 16
40
votes
4 answers

Is demanding a "donation" before disclosing vulnerabilities black hat behavior?

We have been contacted by an "independent security researcher" through the Open Bug Bounty project. First communications were quite OK, and he disclosed the vulnerability found. We patched the hole and said "thank you", but declined to pay a…
Jacco
  • 7,402
  • 4
  • 32
  • 53
29
votes
9 answers

How can an administrator secure against a 0day before patches are available?

I'm working on a thesis about the security hacker community. When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ? Moreover, most of the time, this same…
K.Fanedoul
  • 417
  • 4
  • 10
5
votes
3 answers

What is an 'Orange team'?

I heard that Google had an unofficial 'Virtual' team called the Orange Team that consisted of staff from outside the official security team, who engaged in a range of white hat activities to both develop their own skills, and to improve security at…
Stephen
  • 153
  • 1
  • 5
1
vote
1 answer

Does black hat always equal illegal?

I often hear of black-hat hacking discussed as if it was synonymous with illegal hacking. In other words, an act of hacking is black-hat iff it is illegal. Our own tag wiki for black-hat defines it as "the act of using computer security hacking for…
1
vote
0 answers

Does application security assessments done using SaaS solutions (WhiteHat Sentinal and Fortify on Demand) count as penetration tests?

SaaS security solutions such as "WhiteHat Sentinal" and "Fortify on Demand" are getting popular now a days. Methodologies of both describe them involving manual verification. Does this qualify the Application security assessment report produced by…
0
votes
1 answer

Understanding a Burp Capture

I am thinking of taking up ethical hacking as a hobby. So, I installed Burp Suite Community Edition and set it up with Firefox. I opened Instagram and tried to login with these details (just for testing): Username: admin Password: 123456 However,…
Fitz Watson
  • 101
  • 3
0
votes
2 answers

White hat hacker asks for account to do penetration tests

Our company has online app that requires to create a business account. Yesterday some suspicious accounts were made and our system automatically blocked the account creators and ip addresses. And today we have received an email saying "Hello my name…
undefinedman
  • 113
  • 4
0
votes
1 answer

White hat "ethical" hacking legality

I was preparing a presentation on White hat hackers and ethical hacking, I organized it this way at the moment: This mindmap is a draft version, of the final thing. By defense, I meant security manager, the ones using black hat techniques to…
0
votes
2 answers

What is the responsible thing to do when I care about a vulnerability more than the team behind the system?

I've encountered a security vulnerability in a website. The website is that of a leading brand in it's industry. There are user accounts etc. and this website is very popular. I've contact multiple people from their development/IT team, but no reply…
0
votes
1 answer

Penetration Testing Methodologies

I have some issues regarding the concept of black, grey and white hat. Where and in what penetration testing methodology I can find the black, grey or white hat concept definition?
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27