I once worked on a project where an injection vulnerability was uncovered on a web application that allowed an attacker to create special HTTP requests that can enumerate directories and see the contents of most files on the system. Everything from autoexec.bat to digital certificate files were there for the taking. Interestingly, one person on the team did not see it as a problem. Perhaps it was in defense of his environment or perhaps it was just a general misunderstanding. Either way, file contents were not enough to “prove” this vulnerability.
Granted, the Windows SAM file and its backup were not accessible which was to be expected. Yet every other file on the host – from binary to text – was there for the reading, and taking. But that wasn’t enough. The debate was probably a weakness borne early on in the scoping of the project. Yet, still, taking such a finding several steps further (i.e. posting the files online, spoofing digital certificates, etc.) just to show what else could be done didn’t seem to make sense. That’s a common problem with penetration testing. If there’s no defined end point, then how far do you go? Time and budgets are finite so it doesn’t make sense to keep going for the sake of appeasing one or two people who might see things differently.
I’m probably just looking into the bigger picture too much. I don’t just don’t care to get off into the weeds when diminishing returns are obvious. Too many people thrive out there, though, hence many of the challenges we still face with security.
Taking such a finding and playing it down is sort of like having the following conversation with your oncologist: "Doctor, you're telling me I have a cancerous tumor in my chest. You say it was discovered in the MRI and it could have serious consequences if left untreated. Well, I ask, upon what specific information is it concluded that the surrounding organs are susceptible to this cancer metastasizing?" Sure, vulnerabilities are subjective and there’s always room for interpretation but this one was a bit odd.
I’m all about demonstrating the real business risks and backing it up with sound information and common sense. It was never said out loud, but remained clear, that one of the underlying motivations was to dismiss this finding altogether. Have you ever experienced this? It happens and you need to be prepared to address it. Be it a peer in IT, a high-level executive, or someone in between, there will be people who don’t approve of findings in your security assessments. You can either stick to your guns, stand corrected if it’s a false positive or otherwise shown to not be a problem, or shrug it off and pretend it never happened. I don’t recommend the latter.