[Dailydave] Amusement
Dave Aitel
dave.aitel at gmail.com
Thu Oct 24 16:32:54 UTC 2019
So one of the hardest jobs as a penetration testing firm is when a new
bugclass starts getting popular, for whatever reason, you have to find a
way to explain to your clients that not only do they have to adjust their
defenses, but the defenses they put in place for the last bugclass may, in
fact, be counterproductive.
This is the story of HTTP Desync, which I find hilarious. We're still
struggling to explain it really, and right now it's hard to show what the
impact is to clients. You mark it as High, they mark it as Low, and without
a lot more work you're not going to have a ton of ability to argue the
point.
Likewise, fixing it requires...a ton of effort. I'm not even sure what to
suggest. No doubt your client is just going to ignore it until someone big
gets owned and then they're going to be annoyed at you for not pushing your
point harder.
But regardless, we find it on EVERY SINGLE ENGAGEMENT now, and I'm enjoying
the ramp up everyone is going through. :)
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20191024/bff8946b/attachment.html>
More information about the Dailydave
mailing list