top | item 43969171

(no title)

strunz | 9 months ago

Eh, part of assessing the vulnerability is how deep it goes. Showing that there were no gates or roadblocks to accessing all the data is a valid thing to research, otherwise they can later say "oh we hade rate limiting in place" or "we had network vulnerability scanners which would've prevented a wholesale leak".

discuss

ofjcihen|9 months ago

That’s not how web app vulnerabilities work and it would be easy to counter that handwaving with “hackers know what FireProx is”.

SeaScythes|9 months ago

Hey there--pentester, security researcher, and bug bounty hunter here.

"Demonstrating impact" is common practice. The presence (or non-presence) of rate limiting controls, such as those alluded to by the commenter above, can play into the risk assigned to a vulnerability, and may be difficult to ascertain without actually attempting an otherwise theoretical attack. This also has the effect of indicating whether the target has adequate detection capabilities, which is important information.

Demonstrating impact is also just sometimes necessary to convey urgency to leadership; hand waving is common. Alternatively, some organizations may silently patch without performing a responsible disclosure, such as was the case with this article. Having hard proof that the attack was 1) viable and 2) not detected is critical information in the event that you must disclose to the public.

As an aside, from your history:

> My one gripe with HN is that people say incorrect things with complete confidence pretty regularly and you can only Detect it if you know the subject matter.

Welcome to being part of the problem. Remember the feeling.