Re: Question of Likelihood

[Justin Rogosky <jrogosky () gmail com>]

Hi,

Carnal 0wnage is  doing a blog series about this very subject.
http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-0-intro.html

My opinion is that if you are doing a report, it would be of more
value to list the vulnerabilities separately with the reformatted tool
output (or other methodology you are applying to list them as "low").
But add a separate section that shows how the various "enabling"
vulnerabilities can be trivially combined to expose the system to more
"higher" level vulnerabilities.  I would try to walk them through the
steps you used to get farther into the system using the "low"
vulnerabilities.  Try to emphasize the mentality that a vulnerability
isn't missing a patch but the entirety of what can occur because of
that missed patched.

just my 2 cents, and with inflation that ain't worth much.

--Justin












On Sun, May 13, 2012 at 11:21 PM, Pen Testar <pentestar () ymail com> wrote:
> I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various 
> injection attacks… you name it.
>
>
> You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above 
> (I’ll call them the “enabling” vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln 
> independently or in context of others?
>
>
> I can see arguments either way:
> 1.       One opinion may say rank independently as long as the enabling vulns are marked high. That way if the 
> project team can’t fix’em all, then they can focus on the enabling ones and that'll naturally bring the others down 
> to low. You also don’t want to hand them a report with too many highs as not appear like an alarmist and lose 
> credibility.
> 2.       The other opinion may say rank it high because this is the truth in view of the current posture of the 
> application.
>
> What’s the common practice out there?
>
> Thanks
> Pentestar
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------