To exploit or not?

Paladion
By Paladion

July 11, 2005

During testing, should we always prove a vulnerability by exploiting it, or is it enough to identify the hole without demonstrating an attack?

Initially my view was that we should show a successful attack before reporting the hole, but the view has slowly changed with experience.

Consider SQL injection. Should we report the possibility of SQL injection if a page displays a database error message? Or should we demonstrate a successful attack before reporting it?

Here's why a proven exploit is not required while reporting the above:

  1. Even if we are not able to exploit the vulnerability, a dedicated attacker having whole lot of time might be able to consrtuct a successful exploit.
  2. Since sites change, it might become easier to exploit the weakness due to a slight change in the web application tomorrow.
  3. Database error messages due to SQL injection mean that input validation is not being performed on the server side. Since malicious input reaches the database, it should be reported as a vulnerability.
  4. The timeline for testing an application is limited. Time should be best used to find out as many weaknesses as possible instead of going after one vulnerability to prove a point.

Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset