Anyone Interested In Ethical Hacking

[PicklePickle]

I was recently thinking of ways to find out what vulnerabilities might exist on a website I recently created, but it's a free website and I don't have any money (because I spend it all on tech stuff!) Then it hit me that since I've been watching Hak5 for years I thought I would ask if there is anyone out there interested in doing some ethical hacking to see if they can identify any vulnerabilities.

It is a website based on ASP.Net 4 Framework using ASP.Net membership services. I'm not really looking for DoS attacks, because it's just a single server and I know it wouldn't take much to take it down. I'm more interested in knowing what methods a person could come up with to:

1) access another user's account/profile

2) modify system/site data without logging in

3) modify system/site data while logged in, but things that *shouldn't* be able to be changed

I am also asking that any volunteers not actually destroy the server/site but simply reveal any discovered flaws so that I can fix them and protect users.

If anyone is interested, please let me know via PM/email.

[digip]

If you own the website and its a legit job, hire someone to pentest it. You would also probably need to get the permission of your hosting company, unless it was hosted at your home through your own IP, and even then, your ISP would need to be notified. Otherwise, anyone doing the test for you could end up going to jail for attacking/testing the server/site in question. If you own everything, the equipment, IP address, etc, and is a business, then hire a professional to test it, or read up on some tools and try it yourself. For starters, you personally can use Nessus to scan it for vulnerabilities and patch managment level, just provide it with your windows login credentials to the server, and it will spit out a report with what it found.

[Infiltrator]

Hiring a professional pen-tester would be the best option, and plus I wouldn't trust a random person to do this kind of job, first you never know what that person intentions might be apart from performing pen-testing on your server, and secondly how you go about find that person's whereabouts if he really did something illegal.

Its just something to think about.

[PicklePickle]

Good points and thanks for the input guys.

I can't hire anyone with no money and for a free site. Everything is mine--right in my own house and self-coded. I'm really looking for someone who may already be familiar with ASP.Net membership who might at least know of some good pointers on known issues. I have searched the issue, but it's like a rabbit hole. Nothing is truly secure as the term is more concept than anything and can constantly be redefined by new exploits. I guess if anyone has at least any experience with their own .net membership based site being hacked/jacked or generally misused, I would appreciate hearing that type of thing.

I am just very wary about any kind of security surrounding Microsoft technologies--especially web technologies designed to protect user data. MS has a history of making certain things "easy" at the cost of very obvious vulnerabilities and I just don't want to be overlooking anything obvious.

I understand people not wanting to make that kind of information public too, for embarrassment or just to reduce future targeting.