1. 25
  1.  

  2. 9

    $400 one sounds decent - at these prices I’m surprised you’d get anything BUT running automated tools. Not thrilled by the misrepresentation in some reports, though. I’m curious about the parameters of the contract since the best one also was unable to produce a report - might have led others to prioritize a report and therefore spend less time looking at it manually (maybe they would have done better with no report?).

    As far as “many people using them and reviewing them highly”, a lot of people see this stuff as annoying work they’re forced to do for compliance. So if a contractor gives them something reasonably professional looking in a report with no friction, that’s a job well done. Actually finding things is secondary (though finding nothing might be unsatisfactory).

    As far as whether they correctly identified the vulnerability… the header one is very clear, but the hard coded password was quite obfuscated to look like a SQL injection. Have a hard time faulting a report that got that wrong - the correct area was identified and the ultimate problem would be borne out of further investigation to mitigate it.

    1. 8

      So if a contractor gives them something reasonably professional looking in a report with no friction, that’s a job well done. Actually finding things is secondary (though finding nothing might be unsatisfactory).

      You’ve hit the nail on the head. This is the kind of customer they’re going to have. Ones that are asked, “Have you had a pentest?” instead of “Can we see your last pentest report?”

    2. 3

      I wonder what was used to visualize the SQL statements in there, that’s pretty sweet!

      edit Thinking about it further, I’ve never written a malicious application for a tester to run. I have done the following during CTFs and such tho:

      • wrote a middleware for Flask that exploited the API Shutdown function in ZAP
      • given teams vulnerable routers and then exploited them one by one
      • hosted back doors & other unknown vulns in applications that I could exploit as part of either a white or black team
      • run while true; do killall -9 $server; sleep 3; done on the host via various mechanisms
      • written a programming language and then inserted a backdoor/bug/key into its prelude
      1. 2

        What would be interesting t find is how many of those 1000+ reports would look the same.

        1. 1

          Might as well automate these frameworks and make SaaS of it, giving you automated reports for a buck..