I was perusing the forums and tr1pp33 asked an interesting question about ethics in testing. The second half of his question actually got me thinking. It’s kind of interesting regarding the ethics of testing remote sites are although we’ve gone though that conversation. However, the second half of his question was if testing is illegal and how do you prove intent. It got me thinking is around how do you prove that you’re innocent if you actually didn’t do it, but someone else forced you to hack on their behalf.
If I force someone else to hack on my behalf, how can I prove that I didn’t intentionally do it. But then that brings up a second question which is if I can prove it wasn’t me by saying I’ve got spyware on my computer, perhaps it’s worth installing spyware in the off chance I do get caught so I can plead innocense. Okay, but back to the problem, how do you prove it in the case of CSRF or session riding?
The only obvious thing I could think of was logging. If you log everything you do (either on the local host with something like slogger (thank you to Jordan Wiens for the link). You could also log at the proxy level (you may miss https traffic unless you use an SSL accelerator MITM to slow down/log/process the results). Ultimately though, even that doesn’t show intent, because I could have had every intention on clicking on links that would force my browser to do something. If I can coordinate to get others to infect me with a virus or XSS worm or something else, I can somehow absolve myself of the crime. It’s a tricky subject, certainly.