[OWASP-TESTING] OWASP WAPT submission
jfernandez at germinus.com
Fri Aug 12 03:47:25 EDT 2005
Curphey, Mark wrote:
> If it doesn't have a vulnerability why is it a security issue ? If it
> reveals information then that's a vulnerability.
Actually that last statement is not always true. It actually depends
on the company's security policy. In CVE terminology,
information-disclosing stuff is considered "exposures", see
In any case, it seems we agree on this issue. If there's some value to
what you find through unreferenced files you should note it. Notice,
however, that the value of the information revealed might not be
associated with the application service itself but might impact in
other services unrelated to it. That's what I wanted to stress out.
More information about the Owasp-testing