Penetration Testing mailing list archives
Re: Question of Likelihood
From: Justin Rogosky <jrogosky () gmail com>
Date: Mon, 14 May 2012 15:56:36 -0400
Hi, Carnal 0wnage is doing a blog series about this very subject. http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-0-intro.html My opinion is that if you are doing a report, it would be of more value to list the vulnerabilities separately with the reformatted tool output (or other methodology you are applying to list them as "low"). But add a separate section that shows how the various "enabling" vulnerabilities can be trivially combined to expose the system to more "higher" level vulnerabilities. I would try to walk them through the steps you used to get farther into the system using the "low" vulnerabilities. Try to emphasize the mentality that a vulnerability isn't missing a patch but the entirety of what can occur because of that missed patched. just my 2 cents, and with inflation that ain't worth much. --Justin On Sun, May 13, 2012 at 11:21 PM, Pen Testar <pentestar () ymail com> wrote:
I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various injection attacks… you name it. You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above (I’ll call them the “enabling” vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln independently or in context of others? I can see arguments either way: 1. One opinion may say rank independently as long as the enabling vulns are marked high. That way if the project team can’t fix’em all, then they can focus on the enabling ones and that'll naturally bring the others down to low. You also don’t want to hand them a report with too many highs as not appear like an alarmist and lose credibility. 2. The other opinion may say rank it high because this is the truth in view of the current posture of the application. What’s the common practice out there? Thanks Pentestar ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Question of Likelihood Pen Testar (May 14)
- Re: Question of Likelihood Justin Rogosky (May 14)
- Re: Question of Likelihood Pete Herzog (May 16)