As a pentester, it would be a mistake to assume that all vulnerabilities will be fixed on the client's side. From a purely economic point of view, a fix is not worthwhile if it causes higher costs than a criminal exploitation. Our finding could also be a business requirement for the target system or application, which management has explicitly decided on. For example, social network operators often choose not to automatically terminate a user session after the user has been inactive for a long period of time, even though this issue is listed as a vulnerability in penetration testing standards such as the OWASP Testing Guide. In terms of the usability of social networks, such a decision is also understandable, since the average usage time would presumably be reduced if users have to authenticate themselves again each time. However, from an IT security perspective, a missing session timeout is associated with risks. One threat scenario, among others, would be that third parties could perform actions on behalf of an absent application user. Basically, the following strategies are available to our client to respond to risks:
Since we cannot be sure that all vulnerabilities will be addressed on the client's side, it is even more important that we clearly communicate the potential for damage. Regardless of our view, the client should carry out its own risk assessment, as we do not know all the background information from the company.
Last modified: Dec. 15, 2022
Take a look at the pentest training chapters and learn penetration testing:
Discover the world of penetration testing. Learn how to infiltrate networks and successfully penetrate systems and applications. Acquire the necessary hacking skills and use them when conducting professional penetration tests. Become a real penetration tester. Here you will find the free documents for the Pentest Training of binsec academy GmbH. The binsec academy GmbH offers the corresponding security training lab environments and certifications. However, the knowledge and wiki articles on hacking and penetration testing is universal.
binsec academy GmbH is the European provider of online security training with virtual laboratory environments. The core component of all security training is the focus on practice, practice and more practice. In the wiki here you will find the public and freely available course materials. You can put the theory into practice at binsec-academy.com.