During testing, should we always prove a vulnerability by exploiting it, or is it enough to identify the hole without demonstrating an attack?
Initially my view was that we should show a successful attack before reporting the hole, but the view has slowly changed with experience.
Consider SQL injection. Should we report the possibility of SQL injection if a page displays a database error message? Or should we demonstrate a successful attack before reporting it?
Here's why a proven exploit is not required while reporting the above:
- Even if we are not able to exploit the vulnerability, a dedicated attacker having whole lot of time might be able to consrtuct a successful exploit.
- Since sites change, it might become easier to exploit the weakness due to a slight change in the web application tomorrow.
- Database error messages due to SQL injection mean that input validation is not being performed on the server side. Since malicious input reaches the database, it should be reported as a vulnerability.
- The timeline for testing an application is limited. Time should be best used to find out as many weaknesses as possible instead of going after one vulnerability to prove a point.
Tags: Uncategorized