Penetration Testing mailing list archives
Re: Level of Exploitation
From: Egon Braun <mundoalem () gmail com>
Date: Fri, 12 Dec 2008 20:26:08 -0200
I just mean pen-testers should obviously assess vulnerability risk, but in terms of the vulnerability itself. You assess vulnerabilies based on the level of security compromise that could be achieved, that's how you difference the fact of using of plain-text or vulnerable protocols sensible to eavesdropping, from running a vulnerable service as root, or running it from a chroot jail, for example. SQL injection in fact, is actually a high risk, because there are many attack avaliable to compromise the data integrity of the database, or even the host. Even on those cases, there is a distinct risk in a web application connecting with DML privilegies or another using only granted selects to particular tables or even fields. The topic is obscure, but here is how I see it: assess the vulnerability, not the computer data, or the company, or the world. Greetings.
Got it! :) __ I completely agree with you __. PS.: Sorry by the last email, I did not see that it was sent just to you! It was not meant to be offtopic or a reply just for you. :) -- Egon Braun <mundoalem () gmail com>
Attachment:
_bin
Description:
Current thread:
- Re: Level of Exploitation, (continued)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)
- Re: Level of Exploitation Adriel T. Desautels (Dec 05)
- RE: Level of Exploitation Shenk, Jerry A (Dec 05)
- Re: Level of Exploitation Anthony Cicalla (Dec 05)
- Re: Level of Exploitation gold flake (Dec 07)
- Re: Level of Exploitation Egon Braun (Dec 11)
- RE: Level of Exploitation GT GERONIMO, Frederick Joseph B. (Dec 11)
- Re: Level of Exploitation ArcSighter (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation ArcSighter Elite (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation Matthew Zimmerman (Dec 05)