To exploit or not?

By Paladion

July 11, 2005

During testing, should we always prove a vulnerability by exploiting it, or is it enough to identify the hole without demonstrating an attack?

Initially my view was that we should show a successful attack before reporting the hole, but the view has slowly changed with experience.

Consider SQL injection. Should we report the possibility of SQL injection if a page displays a database error message? Or should we demonstrate a successful attack before reporting it?

Here's why a proven exploit is not required while reporting the above:

  1. Even if we are not able to exploit the vulnerability, a dedicated attacker having whole lot of time might be able to consrtuct a successful exploit.
  2. Since sites change, it might become easier to exploit the weakness due to a slight change in the web application tomorrow.
  3. Database error messages due to SQL injection mean that input validation is not being performed on the server side. Since malicious input reaches the database, it should be reported as a vulnerability.
  4. The timeline for testing an application is limited. Time should be best used to find out as many weaknesses as possible instead of going after one vulnerability to prove a point.

Tags: Uncategorized