Page 219 - Hands-On Bug Hunting for Penetration Testers
P. 219
Going Further Chapter 13
Passive Versus Active Scanning
Passive scans analyze data flow within web applications. They are much less noisy, having
little or no effect on the logs and associated metrics that provide an app's maintainers with
information. By contrast, active scanning involves sending data into the application and
then analyzing the response. Active scanning is often prohibited, because of the damage it
can do to a network and the ways it can degrade application performance.
Payload
In general software development, a payload is essentially the message of an actionbthe
semantic content an action contains beyond its metadata, headers, and other system
information. In a cybersecurity context, a payload is similarly the weaponized, malicious
code snippet value of an input that escapes sanitation measures and actually executes the
attack.
Proof-of-Concept (PoC)
A PoC of a vulnerability is a code snippet or series of instructions for proving the security
issue in question exists. A PoC should be as simple as possible to show the minimum
conditions necessary for triggering an exploit. We discuss PoCs within the context of CSRF
in $IBQUFS , CSRF and Insecure Session Authentication.
Rules of Engagement (RoE)
The RoE for a bug bounty program (also know as its disclosure guidelines or code of
conduct) describe the most valuable vulnerabilities the company would like to test for,
allowed/prohibited testing methodologies and tools, research scope, and out-of-bounds
vulnerabilities. The RoE is the most important reference document you start any pentesting
engagement with, since it shapes the rest of your investigation.
Red Team
A company's red team is the internal security team responsible for mimicking the attacks
and behavior of outside actors, probing the defenses of the company's network and
exposing weaknesses through repeated offensive analysis and attempted intrusion.
[ 204 ]
