[OWASP-TESTING] OWASP WAPT submission

Javier Fernandez-Sanguino jfernandez at germinus.com
Fri Aug 12 03:47:25 EDT 2005


Curphey, Mark wrote:
> If it doesn't have a vulnerability why is it a security issue ? If it
> reveals information then that's a vulnerability.  

Actually that last statement is not always true. It actually depends 
on the company's security policy. In CVE terminology, 
information-disclosing stuff is considered "exposures", see 
http://cve.mitre.org/about/terminology.html

In any case, it seems we agree on this issue. If there's some value to 
what you find through unreferenced files you should note it. Notice, 
however, that the value of the information revealed might not be 
associated with the application service itself but might impact in 
other services unrelated to it. That's what I wanted to stress out.

Regards

Javier




More information about the Owasp-testing mailing list