's Avatar

@real-foobar7

14
Followers 33
Following 5
Posts 20.12.2024
Joined
Posts Following

Latest posts by @real-foobar7

- IDOR
-> self signup
-> read (crit info)
-> read (medium info)
-> write (crit data)
-> write (medium data)
-> read/write (crit)
-> ...
-> low-priv (same org)
-> see above
These are common cases which can be standardized (to a degree)

31.12.2024 16:31 👍 0 🔁 0 💬 0 📌 0

I'd go even further than they do, and specify a lot more. For example:
- sXSS
-> pre-auth / self signup
-> normal user interaction
-> uncommon user interaction
-> low-priv (same org, etc)
-> see above
-> high-priv
-> see above

31.12.2024 16:30 👍 0 🔁 0 💬 1 📌 0

Having a catalog of common bb issues + severity is really helpful here, because we know exactly what to expect. There should be no guesswork on what standard rXSS, sXSS (depending on required privileges), IDOR, etc give. I often don't like how VRT does it, but the idea to do it this way is good.

31.12.2024 16:27 👍 1 🔁 0 💬 1 📌 0

CVSS isn't focused on web security, which is a majority of bb findings (how often do we have AV anything other than N?) And CVSS doesn't handle common cases well. Everyone fudges the numbers on pXSS. Mass PII leak is at most High, when real-world impact can often be crit. And so on.

31.12.2024 16:27 👍 1 🔁 0 💬 1 📌 0

I think - while flawed - bugcrowds VRT is a decent attempt.

31.12.2024 16:26 👍 1 🔁 0 💬 1 📌 0