[ OWASP - Montreal ] Calculate or decide the risk of a vulnerability

Philippe Gamache philippe at gamache.com
Thu Dec 4 14:29:08 EST 2008


Benoit Guerette wrote:
> Using Nessus, you know exactly the CVSS value of a vulnerability.
>
> But when you find something without a tool showing the CVSS, how to
> you calculate or decide the level it is?
>
> Example: "Information Leakage and Improper Error Handling" from OWASP
> Top Ten, will you report High, medium or low?
>
>   
This is one of the tricky one...  I would say : depend of the
information display.  Exemple: if you can see the config file directory,
and you have others problem, like random file inclusion, it will be a
High... If it only give the name of the file, it might be Low, but
usally, you might have the same type of error elsewhere, so you need to
look around (maybe code audit) to decide.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: philippe.vcf
Type: text/x-vcard
Size: 131 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081204/a12fa054/attachment.vcf 


More information about the Owasp-montreal mailing list