Penetration Testing mailing list archives
RE: Level of Exploitation
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 3 Dec 2008 21:50:02 -0500
My guess would be that they don't have a clue what they even mean by "level of exploitation". I am guessing that what they want is to know how bad it is. Basic XSS means that you got the web page to spit back something that you gave it...that could be very ho-hum or it could be very bad. Same thing with the SQL injection....were you able to get it to give you a parameter error when you sent it something which indicates that they aren't properly checking the incoming data...that is an indication that something bad might be possible. ...or, were you able to dump the entire dataset...maybe even get the SQL server to run some command and connect to your waiting server...maybe even shovel you a shell....but I'm guessing you would have called that something other than SQL injection...like maybe a total compromise or something. I think pen-testers in general need to be able to put "bad stuff" into a business perspective. What does the business owner stand to lose. How easy is the exploit to do? How prevalent is the exploit? I think we should also give them ways to detect it...give them specific times that you launched the attack and have them see what it looks like in their logs...then they can look through their logs to see if somebody else has been targeting them. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pentestr Sent: Tuesday, December 02, 2008 11:15 PM To: pen-test () securityfocus com Subject: Level of Exploitation Hi list, I have come across a situation where I need to specify the "Level of Exploitation" to the client ( a govt. agency). I was able to do SQL Injection, Cross Site Scripting attacks against the web application. Could you share your ideas about level of exploitation. What level we can give for SQL Injection, Cross site scripting, buffer overflow, TCP stack exploit,etc thanks in advance Pen Testr ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Level of Exploitation, (continued)
- Re: Level of Exploitation Adriel T. Desautels (Dec 05)
- RE: Level of Exploitation Shenk, Jerry A (Dec 05)
- Re: Level of Exploitation Anthony Cicalla (Dec 05)
- Re: Level of Exploitation gold flake (Dec 07)
- Re: Level of Exploitation Egon Braun (Dec 11)
- RE: Level of Exploitation GT GERONIMO, Frederick Joseph B. (Dec 11)
- Re: Level of Exploitation ArcSighter (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)
- Re: Level of Exploitation ArcSighter Elite (Dec 12)
- Re: Level of Exploitation Egon Braun (Dec 12)