Okay, first off, it so happens that I was given a penetration test which were rejected by my lower vulnerability researchers (basically coming from the bug bounty family). As a part of my job role, I play by the team lead and anything which isn't intruded by the lower members on the organization is forwarded to me for a 'look-up' and intrude into the application.
Initially, I happen to enumerate deep into the application and publicly picked up some usernames left over on pastebin and tried their last name as the part of the password. Now this particular engagement gave me access to it's central system and I had everything from changing names, emails, roles, priviledges to access private customer data such as licenses and passport etc..
For me, as red team lead, I guess any intrusion via any method would be an valid attempt for a successfull penetration test. I am only confused with the part how this whole thing should be presented to the client since there were originally no vulnerabilities but violation of policies (password policies, user name creation policies, employee making their code public in pastebin policy, etc.). I need a technical name to present this issue infront of the client to get this escalated as soon as possible since in common terms, clients look forward to vulnerabilities and yet without using any vectors, I penetrated to their system.
What could be your thoughts over this? I look forward to teh community to help me get going with this. I appretiate your time and values for the same. Thank you.
Aucun commentaire:
Enregistrer un commentaire