I've been thinking of doing something like this for a long time. Whilst I try my best to secure the server and run vulnerability scans against our site, I don't really go into much depth with them. I was planning on putting aside a few days to do a proper penetration test on the site with various tools.
Then I thought it might be fun for some of our more knowledgeable members to get involved.
Here's how I envision it working:
1) I'll create a separate copy of the forums at some other address, but make it virtually identical to these ones (i.e. it will have all the same files and database). For security, I'll remove / scramble all user details from the database files, but otherwise it will be an exact copy.
2) People who want to take part will give me the IP address that they will be working from. I'll add these to a temporary whitelist so that our Intrusion Detection System does not automatically ban them when attacks are detected. These people will also have to accept an agreement stating that any vulnerabilities they find will not be published until a fix is in place, nor will they attempt to test the vulnerability on the main site.
3) At a specified time, I'll enable the whitelist and allow people to test for a certain period of time (probably a few days to a week).
4) The only attacks which will be forbidden are denial of service and those that actively change / delete content from the server / database.
5) During and after the test, I'll go through all reported issues, confirm and (attempt to) fix them, and then add the user's name to a "Hall of Fame" part of the site. The user will then be allowed to talk about their exploit freely.
So firstly, are there any members out there who would be interested? You don't necessarily need to have a background in hacking / penetration testing, but obviously knowledge of exploits would help. If people just want to try out hacking, you're welcome as well, but it would probably be more beneficial to go to other "hack this site" type websites instead.
If I get some interest, I'll write a more verbose explanation of what is and is not allowed. I obviously want to make it as open as possible, but I don't also want the server being bombarded with traffic from tools at the same time (we may have to schedule testing times per user).
- Tiberius
Then I thought it might be fun for some of our more knowledgeable members to get involved.
Here's how I envision it working:
1) I'll create a separate copy of the forums at some other address, but make it virtually identical to these ones (i.e. it will have all the same files and database). For security, I'll remove / scramble all user details from the database files, but otherwise it will be an exact copy.
2) People who want to take part will give me the IP address that they will be working from. I'll add these to a temporary whitelist so that our Intrusion Detection System does not automatically ban them when attacks are detected. These people will also have to accept an agreement stating that any vulnerabilities they find will not be published until a fix is in place, nor will they attempt to test the vulnerability on the main site.
3) At a specified time, I'll enable the whitelist and allow people to test for a certain period of time (probably a few days to a week).
4) The only attacks which will be forbidden are denial of service and those that actively change / delete content from the server / database.
5) During and after the test, I'll go through all reported issues, confirm and (attempt to) fix them, and then add the user's name to a "Hall of Fame" part of the site. The user will then be allowed to talk about their exploit freely.
So firstly, are there any members out there who would be interested? You don't necessarily need to have a background in hacking / penetration testing, but obviously knowledge of exploits would help. If people just want to try out hacking, you're welcome as well, but it would probably be more beneficial to go to other "hack this site" type websites instead.
If I get some interest, I'll write a more verbose explanation of what is and is not allowed. I obviously want to make it as open as possible, but I don't also want the server being bombarded with traffic from tools at the same time (we may have to schedule testing times per user).
- Tiberius
We aren't usually allowed to do anything we do in the labs at home, since it would be pretty illegal. As I said, I doubt I'll have the time for it, but if I somehow manage to find some, then I'll let you know.
