RE: Level of Exploitation

["Shenk, Jerry A" <jshenk () decommunications com>]

My guess would be that they don't have a clue what they even mean by
"level of exploitation".  I am guessing that what they want is to know
how bad it is.  Basic XSS means that you got the web page to spit back
something that you gave it...that could be very ho-hum or it could be
very bad.  Same thing with the SQL injection....were you able to get it
to give you a parameter error when you sent it something which indicates
that they aren't properly checking the incoming data...that is an
indication that something bad might be possible.  ...or, were you able
to dump the entire dataset...maybe even get the SQL server to run some
command and connect to your waiting server...maybe even shovel you a
shell....but I'm guessing you would have called that something other
than SQL injection...like maybe a total compromise or something.

I think pen-testers in general need to be able to put "bad stuff" into a
business perspective.  What does the business owner stand to lose.  How
easy is the exploit to do?  How prevalent is the exploit?  I think we
should also give them ways to detect it...give them specific times that
you launched the attack and have them see what it looks like in their
logs...then they can look through their logs to see if somebody else has
been targeting them.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of pentestr
Sent: Tuesday, December 02, 2008 11:15 PM
To: pen-test () securityfocus com
Subject: Level of Exploitation

Hi list,

I have come across a situation where I need to specify the "Level of
Exploitation" to the client ( a govt. agency). I was able to do SQL
Injection, Cross Site Scripting attacks against the web application.
Could you share your ideas about level of exploitation. What level we
can give for SQL Injection, Cross site scripting, buffer overflow, TCP
stack exploit,etc

thanks in advance
Pen Testr



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------