Comments (4)
plr0man
commented on May 31, 2024
Hi Sasi,
Thank you for your input. Clickjacking is addressed in the VRT in multiple entries. If for example a bug bounty report simply pointed out lack of X-Frame-Options headers, that would be a P5 - accepted risk:
Server Security Misconfiguration->Lack of Security Headers->X-Frame-Options (P5)
If on the other hand it was noted that there is clickjacking possible on a sensitive action, that would be addressed by a different P4 entry:
Server Security Misconfiguration->Clickjacking->Sensitive Action (P4)
The VRT's default priorities may be adjusted on case by case basis. You are mentioning chaining vulnerabilities. We definitely like to see those and upgrade the priority to reflect the increased impact.
Hope this helps!
from vulnerability-rating-taxonomy.
thefishermanhacker
commented on May 31, 2024
P4 isn't enough for sensitive action, cuz if attacker can delete account via clickjacking I think it should go up then P4.
Reporter MUST show a critical case that he/she able to do things, XSS, delete account are only few critical issues and should be higher then P4.
from vulnerability-rating-taxonomy.
plr0man
commented on May 31, 2024
This paragraph from the Bugcrowd’s Vulnerability Rating Taxonomy PDF document (get it here) should provide more insight on how vulnerabilities are rated:
"Priority is a Baseline
The recommended priority, from Priority 1 (P1) to Priority 5 (P5), is a baseline. That having been said, while this baseline priority might apply without context, it’s possible that application complexity, bounty brief restrictions, or unusual impact could result in a different rating. As a customer, it’s important to weigh the VRT alongside your internal application security ratings.
For bug hunters, if you think a bug’s impact warrants reporting despite the VRT’s guidelines, or that the customer has misunderstood the threat scenario, we encourage you to submit the issue regardless and use the Bugcrowd Crowdcontrol commenting system to clearly communicate your
reasoning."
from vulnerability-rating-taxonomy.
ryancblack
commented on May 31, 2024
@thefishermanhacker - Thanks again for your feedback! @plr0man's comments are spot on. There are many situations where we may upgrade the recommended priority based on context however the default priority for Clickjacking is varant dependant.
Similarly, IDOR is entirely context dependant.
I will close this issue but do let us know if you have any follow-up questions after reviewing some of our classification rationale in the VRT PDF.
from vulnerability-rating-taxonomy.
Related Issues (20)
- Addition - HTML Content Injection HOT 1
- Update - PII Leakage updated to Sensitive Information Leak HOT 3
- Why Blind XSS can't be P1 While Massive PII is leakage? HOT 1
- SSRF as it's own top-category HOT 2
- infinite 301 HOT 4
- Text injection - needs higher priority HOT 4
- Content spoofing - needs higher priority HOT 1
- New IDOR Variants HOT 10
- Change of "Sensitive Data Exposure > Disclosure of Secretes > Intentionally Public, Sample or Invalid"
- Add unnecessary open port on server misconfiguration in P1 HOT 1
- Add LLM VRT Entries HOT 11
- Server Security Misconfiguration > Unsafe File Upload > File Extension Filter Bypass should be higher severity HOT 5
- Server side Language And Configured Sensitive Data Blank Files > Disclosure of Secrets > For Public Accessable Assets HOT 1
- read-only IDOR P3 requires differentiation HOT 3
- Update VRT language to remove ambiguity between subcategories HOT 1
- P5 - Server Security Misconfiguration -> Missing Subresource Integrity (SRI) Checks
- Edit/Modify Non-Sensitive Information IDOR should be categorzed as P4
- What priority is account takeover? HOT 1
- VRT Addition - Hardware and Physical Security HOT 5
- Reconsider severity for "Indicators of compromise" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulnerability-rating-taxonomy.