July 11, 2005
During testing, should we always prove a vulnerability by exploiting it, or is it enough to identify the hole without demonstrating an attack?
Initially my view was that we should show a successful attack before reporting the hole, but the view has slowly changed with experience.
Consider SQL injection. Should we report the possibility of SQL injection if a page displays a database error message? Or should we demonstrate a successful attack before reporting it?
Here's why a proven exploit is not required while reporting the above:
Buyer’s Guide to Managed Detection and Response
Managed Detection and Response
AI-Driven Managed Detection and Response
Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought
Copyright All Rights Reserved © 2020