Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Level of Exploitation
From: Egon Braun <mundoalem () gmail com>
Date: Fri, 12 Dec 2008 20:26:08 -0200

I just mean pen-testers should obviously assess vulnerability risk, but
in terms of the vulnerability itself. You assess vulnerabilies based on
the level of security compromise that could be achieved, that's how you
difference the fact of using of plain-text or vulnerable protocols
sensible to eavesdropping, from running a vulnerable service as root, or
running it from a chroot jail, for example. SQL injection in fact, is
actually a high risk, because there are many attack avaliable to
compromise the data integrity of the database, or even the host. Even on
those cases, there is a distinct risk in a web application connecting
with DML privilegies or another using only granted selects to particular
tables or even fields. The topic is obscure, but here is how I see it:
assess the vulnerability, not the computer data, or the company, or the


Got it! :)

__ I completely agree with you __.

PS.: Sorry by the last email, I did not see that it was sent
just to you! It was not meant to be offtopic or a reply
just for you. :)

Egon Braun <mundoalem () gmail com>

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]