1

Suppose that we have a web page. This page could be vulnerable to any attack such as SQLI. By looking the HTML code of the page, we can find some input elements that could be used by attackers to exploit vulnerabilities.

So we can guess that pages which have more input elements (for example), might be more vulnerable. I mean these pages might be more risky. So I want to conclude that these pages are more important for security scanners, and testing these pages may result in finding more vulnerabilities.

So one of the factors to decide that a web page is more important (in security manner) than the other page, is the number of input elements in the page. Another factor may be number of parameters we could pass to the page URL.

What are the other factors that makes a page important (i.e. make it risky)? How could I find that a web page (include HTML, javascript, css, etc) is vulnerable or not? (note that I can't exploit any vulnerability, and I should decide without exploiting any vulnerability).

Jeroen
  • 5,783
  • 2
  • 18
  • 26
Muhamad Jafarnejad
  • 133
  • 4

1 Answers1

5

The short answer is that I don't believe you can. One input field on one page may be far more important than 100 on another for example. The issue is that you cannot assess risk without access to more information. Risk is calculated by the ease and likelihood of a vulnerability being exploited multiplied by the damage that would be inflicted by its exploitation. You can't know this, or accurately guess this, without knowing more which might be internal code/architecture review or full testing.

That's why the saying we hear very often is so important "the attacker has to be lucky only once, you (the owner) have to be luck all the time" - so there may be one very small and innocent looking issue that once exploited gives the keys to the castle to the attacker.

It's also why all of the promoted pen tests/audit processes never include the advice "have a quick look and guess at what might be vulnerable and try that first"...

I'd advise against setting focus by guessing, you won't be 'lucky' much of the time

David Scholefield
  • 1,824
  • 12
  • 21
  • Thanks a lot. But this is the scenario I've encountered: suppose that we have two pages in our web application, and we could only test one page to find vulnerabilities (lack of time for instance). Isn't it wisely to test (pen test) the page that we ONLY GUESS it might be more risky? – Muhamad Jafarnejad Sep 18 '15 at 14:04
  • @user1422847 - a hacker doesn't have such a limit. – Deer Hunter Sep 18 '15 at 20:59
  • 1
    Some testing is better than none, but I don't believe in the general case it's easy to select which one. Maybe in some cases, if you're a testing expert, then it might, but not generally. The scenario smells of hypothetical - if it's real then you're probably not going to reduce your risk much (unless you're lucky) and someone is misunderstanding risk in a big way. – David Scholefield Sep 19 '15 at 07:23