Penetration Testing mailing list archives
Re: Different methods of obtaining exploits
From: Neil <neil () voidfx net>
Date: Wed, 01 Feb 2006 02:22:29 +0530
I agree. Actually finding exploitable vulns in applications is a time consuming job, and I think you'll find more people who do that working under the title "Security Researcher" than pen-tester. Neil On 1/29/2006 9:49 AM, FocusHacks wrote:
I'd say 100% of pen testers use exploits found on mailing lists and security sites, and I would be willing to bet a good 25% of them are getting exploits from friends and other limited-distribution channels on top of using published exploits. Honestly I'd bet the number of pen-testers actively finding holes to exploit is probably in the single-digit percentages. There may be 25% who take an advisory and reverse engineer the app to code an exploit for it, or re-vamp some POC code to be useable in the field, but I doubt 25% are actually finding the bugs to begin with. On 1/26/06, yawgmoth7 <yawgmoth7 () gmail com> wrote:I've always wondered about this, I do not know why. But just the different ways that pen-testers get their exploits/vullnerabilities. I think it would go something like this: 50% From online security sites 25% Find their own 25% From their friends Have I left any out? If so, go ahead and add it, this is just about what I think it would be. This has always interesting me for some reason. See ya -- gurusnetwork.org Gurus'Network - Are you a guru? --
Neil. http://voidfx.net "...the student skit at Christmas contained a plaintive line: "Give us Master's exams that our faculty can pass, or give us a faculty that can pass our Master's exams." --Paul R. Halmos ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Different methods of obtaining exploits Neil (Feb 02)
- <Possible follow-ups>
- Re: Re: Different methods of obtaining exploits kish_pent (Feb 05)