2019-11-23, 13:00–13:40, Grammarly
What do pentesters looking for and what customers wish to receive in their reports?
Examples of easy account compromise.
What do pentesters look for the rest of the project time?
Classic OWASP checklist.
What are pentesters tired to report but still have to
What do we expect? A total compromise.
• Account Takeover
• Logic Bypass
• Remote Code Execution
• Easy Exploitation
What do we get? OWASP daily work.
• XSS
• CSRF
• Session Fixation
• IDOR
• Information Disclosure
• Unlimited Email Spam
• ARP poisoning
• Mountable NFS volumes
What are we bored of in the reports?
• Versions
• Ciphers
• Headers
• Checklists
• False Positives
• Automatic Reports
How to get an empty pretest report?