@real-foobar7.bsky.social
- IDOR
-> self signup
-> read (crit info)
-> read (medium info)
-> write (crit data)
-> write (medium data)
-> read/write (crit)
-> ...
-> low-priv (same org)
-> see above
These are common cases which can be standardized (to a degree)
-> self signup
-> read (crit info)
-> read (medium info)
-> write (crit data)
-> write (medium data)
-> read/write (crit)
-> ...
-> low-priv (same org)
-> see above
These are common cases which can be standardized (to a degree)
December 31, 2024 at 4:31 PM
- IDOR
-> self signup
-> read (crit info)
-> read (medium info)
-> write (crit data)
-> write (medium data)
-> read/write (crit)
-> ...
-> low-priv (same org)
-> see above
These are common cases which can be standardized (to a degree)
-> self signup
-> read (crit info)
-> read (medium info)
-> write (crit data)
-> write (medium data)
-> read/write (crit)
-> ...
-> low-priv (same org)
-> see above
These are common cases which can be standardized (to a degree)
I'd go even further than they do, and specify a lot more. For example:
- sXSS
-> pre-auth / self signup
-> normal user interaction
-> uncommon user interaction
-> low-priv (same org, etc)
-> see above
-> high-priv
-> see above
- sXSS
-> pre-auth / self signup
-> normal user interaction
-> uncommon user interaction
-> low-priv (same org, etc)
-> see above
-> high-priv
-> see above
December 31, 2024 at 4:30 PM
I'd go even further than they do, and specify a lot more. For example:
- sXSS
-> pre-auth / self signup
-> normal user interaction
-> uncommon user interaction
-> low-priv (same org, etc)
-> see above
-> high-priv
-> see above
- sXSS
-> pre-auth / self signup
-> normal user interaction
-> uncommon user interaction
-> low-priv (same org, etc)
-> see above
-> high-priv
-> see above
Having a catalog of common bb issues + severity is really helpful here, because we know exactly what to expect. There should be no guesswork on what standard rXSS, sXSS (depending on required privileges), IDOR, etc give. I often don't like how VRT does it, but the idea to do it this way is good.
December 31, 2024 at 4:27 PM
Having a catalog of common bb issues + severity is really helpful here, because we know exactly what to expect. There should be no guesswork on what standard rXSS, sXSS (depending on required privileges), IDOR, etc give. I often don't like how VRT does it, but the idea to do it this way is good.
CVSS isn't focused on web security, which is a majority of bb findings (how often do we have AV anything other than N?) And CVSS doesn't handle common cases well. Everyone fudges the numbers on pXSS. Mass PII leak is at most High, when real-world impact can often be crit. And so on.
December 31, 2024 at 4:27 PM
CVSS isn't focused on web security, which is a majority of bb findings (how often do we have AV anything other than N?) And CVSS doesn't handle common cases well. Everyone fudges the numbers on pXSS. Mass PII leak is at most High, when real-world impact can often be crit. And so on.
I think - while flawed - bugcrowds VRT is a decent attempt.
December 31, 2024 at 4:26 PM
I think - while flawed - bugcrowds VRT is a decent attempt.