Open ThunderSon opened 4 years ago
I'd be good with that, any reference source seems fine/logical to me.
I could see some value to an giving some references to examples of the issue, but I think it'd need to be carefully curated. The examples would have to be well written (both in terms of technical content and style), and should be relatively straightforward examples of the issues. While it's interesting to link to really obscure or clever vulnerabilities, it's probably not very useful for most readers. A straightforward but well written example of SQL injection is much more useful that a really clever blind SQLi through a field in an Excel spreadsheet, for example.
I think it would also be good to expand it past just bug bounty reports - there are lots of really good technical writeups of vulnerabilities that are not reported on those sites. However, you'd need to make sure that people don't just use it as a way to try and show off their posts or push traffic to their sites.
I'm not sure what you'd call the section. "Vulnerability Examples"? "Example Vulnerability Writeups"?
Edit: it might also be worth reviewing the interactions between the reporters and staff as well. For example, asking "why i got low bounty for this report ?" doesn't set a great example of how to disclose things...
I will provide more input on this in the coming days, hopefully with an action plan.
So 3 main things to handle:
"Vulnerability Writeups" works (since a lot of these may not be formal reports), although the term doesn't show that it was real-world examples to someone reading the guide for the first time.
@victoriadrake What do you think about this?
Thanks for the tag @ThunderSon!
By taking on the curation of write ups, we should be aware that we’ll be spending as much time reviewing them for quality and accuracy as we might spend on WSTG contributions. We also can’t control the external content if it is later changed or updated.
I would suggest we take on a “push” approach rather than a “pull” approach to this. If we happen to come across stellar examples of reports, we can link them; but we should not seek out less-than-stellar reports for the purpose of filling this section on every page. I think that would cheapen the effort.
To agree with and codify what @rbsec stated, I would suggest that we accept reports or articles if they are:
As to the title, I suggest “Real-World Examples” as a term that a reader would scan the page for if they were looking for what we’re suggesting.
Phrases like “Vulnerability Writeups” are familiar to bug bounty hunters but less so to business leaders, while @patrickceg is correct that “case study” can indicate quite a different animal from your typical infosec report.
I think another criterion can be:
A tester or test team lead who finds the WSTG is going to want to know how they can explain (to the boss) spending resources to build and maintain the test.
@patrickceg I’d list that as a nice-to-have rather than required. While they’re important considerations, I don’t know that business impact is in scope for the WSTG.
Will WSTG have any other way to let someone know which test to start with or to make high priority? (example: Issue #171 )
IMHO prioritization will depend on tasks outside the Testing Guide, such as: Threat Modelling or Risk Assessment.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
What would you like to happen? What do you think about adding to every test scenario possible bug bounty reports that are relevant and provide value. One example would be for file upload XSS since we are updating it: https://hackerone.com/reports/880099
CC: @rbsec @kingthorin