The Value of Web Exploitation

Is the exploitation of web vulnerabilities worth the trouble? Does it create unnecessary risks that should be avoided? Why exploit flaws anyway? This is not a black and white circumstance. Every situation is unique. But here’s what I know. The exploitation of web security flaws such as Cross-Site Scripting, SQL injection and Cross-Site request forgery is arguably the most valuable part of my assessments. Web exploitation can provide actual data, screenshots and other evidence which are great for getting management, developer and user buy-in on the issues. Otherwise, you may simply be running scans and making dangerous assumptions about what can or cannot be taken advantage of.
In many situations, all it takes is exploiting one missing web server patch, one SQL injection flaw or cracking a set of web passwords to show that problems exist in the respective areas. You may not need to exploit every flaw on every system to demonstrate what’s weak and what can happen. For certain projects, exploiting every single flaw on every single page could take too long and cost too much.
You have to ask yourself what’s really needed? What’s the ultimate goal of your security assessment? Is it to find some basic issues (continue reading...)