Читать книгу Hacking For Dummies - Kevin Beaver - Страница 57

An updated program once bit me. I was performing a vulnerability scan on a client’s website — the same test that I’d performed the previous week. The client and I had scheduled the test date and time in advance. But I didn’t know that the software vendor had made some changes in its web form submission tests, and I accidentally flooded the client’s website, creating a DoS condition.

Luckily, this condition occurred after business hours and didn’t affect the client’s operations. The client’s web application was coded to generate an email for every form submission, however, and there was no CAPTCHA on the form to limit successive submissions. The application developer and company’s president received 4,000 emails in their inboxes within about 10 minutes. Ouch!

My experience is a perfect example of not knowing how my tool was configured by default and what it would do in that situation. I was lucky that the president of the company was tech-savvy and understood the situation. Be sure to have a contingency plan in case a situation like that occurs. Just as important, set people’s expectations that trouble can occur, even when you’ve taken all the right steps to ensure that everything’s in check.

One way to prevent this specific problem is to know, in advance, the email address such messages will originate from — for example, was@qualys.com for Qualys Web Application Scanner and scanner@probe.ly for Probely — and then block those emails at the server level.