Page 217 - Hands-On Bug Hunting for Penetration Testers
P. 217
Going Further Chapter 13
Data Exfiltration
Data exfiltration is the unauthorized transfer or copying of data off an application or
network. It could be anything from payment information to sensitive intellectual property,
and succinctly describes a particular type of information theft.
Data Sanitation
Sanitizing data involves stripping data of any special characters or reserved words that
could cause the unexpected and unwanted execution of user input as code. The practice is a
core component of preventing injection-related attacks, including XSS, SQLi, NoSQLi, and
other varieties.
Data Leakage
Data leakage, unlike data exfiltration, implies that improperly configured services or other
systems are exposing sensitive data by accident. This meaning comes more from the
shading of the term than any formal definition, but provides a useful descriptor when the
vulnerability in question is something like an unsecured logging server that's open to the
public internet, and displays authentication credentials in the logs by accident. In that
scenario, no one has hacked into the application, or compromised the network or database,
but someone has made the mistake of leaving that resource open, and that data could
provide the basis for another wave of attacks.
Exploit
An exploit is the malicious code that powers an attack on an application or its users,
leveraging the flaw presented by a vulnerability to take advantage of weak/broken
authentication, poor privilege management, insufficient data control, or other vectors to
make mischief. Software billing itself as an exploit framework, such as Metasploit (which
we discuss in our $IBQUFS , Other Tools) is designed to help write malicious exploit code.
Because our focus in this work is on discovering vulnerabilities rather than exploiting them,
exploits come up most frequently within the context of writing a credible, generally-scary
attack scenario for your submission report.
[ 202 ]
