Question of Likelihood

[Pen Testar <pentestar () ymail com>]

I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various 
injection attacks… you name it. 


You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above 
(I’ll call them the “enabling” vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln 
independently or in context of others? 


I can see arguments either way:
1.       One opinion may say rank independently as long as the enabling vulns are marked high. That way if the project 
team can’t fix’em all, then they can focus on the enabling ones and that'll naturally bring the others down to low. You 
also don’t want to hand them a report with too many highs as not appear like an alarmist and lose credibility.
2.       The other opinion may say rank it high because this is the truth in view of the current posture of the 
application.

What’s the common practice out there?

Thanks
Pentestar  

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------