October 4th, 2004


Hot Damn, I've Validated Myself

I started the day half way through the security stand down without a single new security bug to my name. My team is in the lead for finding the most of these buggers (believe me, I'm kind of concerned at the large number of valid security bugs we've already found - but that's another story altogether) and I have been feeling like a numbnut slacker for not finding anything new. Every other member of my team had found at least one new bug except for me. I was determined to find something... ANYTHING today.

Unfortunately, the day just did not turn out for me. Everything I tried did not work. Plus, every time I found a track to go down, something would happen to that server. It made me rather waspish. (Mea culpa, Lori.) It just sucks when you start wondering why you are in a job to begin with.

I was going to leave, defeated and empty handed, shortly after Lori left for the day. I had closed down my computer and even ran to the bathroom. I came back to my desk to get my things and looked at my nemesis, the computer. "No." I thought. "I'm not leaving until I find something... dammit." Sat back down and revisited a track I had started following then abandoned fairly early in the day.

I struck gold. I found two beautifully blatant information disclosure bugs. One mentioned an engineer by MS domain and alias - in three files. The other revealed library and template locations. I had Rob, the security guy, come verify that they were indeed security bugs. He gave me that little pleased smile of his when I showed him. We had a short talk about how frustrating security testing can be, complimented me and assured me I would find more.

I feel like I validated my existence as a tester. *smile*
  • Current Mood
    accomplished accomplished