Not All Web Vulnerabilities Are What They Appear to Be

When performing web security assessments, it’s easy for us to feel confident in what we see. Take Cross-Site Scripting (XSS) for instance. Your scanner finds this web vulnerability. You validate that it does indeed exist. What more is there to do? Well, it depends on how much pushback your get from your network admins or developers. They may know the rest of the story that you’re not privy to. Let me share a situation with you to explain why this matters.
I recently came across a XSS flaw on a client’s in-house web server that happened to be associated with their front-end marketing site. I validated the XSS finding and documented it the final report. It was as clear as day that this web vulnerability was exploitable on the page. The HTTP responses showed it. I could even manually enter the script code directly into a URL string and watch the pop-up window in the browser.
I got push-back on the finding because supposedly the vulnerable page did not exist on the server in question. But it did! At least it appeared that way from the outside. I loaded up a proxy to confirm which (continue reading...)