-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
read-only IDOR P3 requires differentiation #403
Comments
Hi @foobar7 I understand that IDOR can be broken down in many categories. What we've tried with these categories is to cover as much as possible. In this case, don't you think this category can cover it? This category does not specify how the sensitive information is being leaked, meaning, it could be IDOR or whatever. Let me know what your thoughts are. |
Hi @TimmyBugcrowd,
I think in some aspects, that works well (eg I like that UUID IDORs are now standardized). But here it imho doesn't work.
For me, there are two issues:
Point 2. could be resolved by 1) assigning the category I prefer myself when opening the report and 2) educating triage. But I'd still be worried about mistakes and inconsistencies. The more important issue is 1. An example would eg be an online forum or chat. Even if no PII leaks, all messages of all users leaking would at least be P2 in my eyes. P3 would definitely be too low. Another example would eg be the leakage of all reports on bugcrowd. P3 would just not be appropriate. And those aren't isolated examples, it's the case for a lot of data (probably most cross-tenant IDORs). At the very least, I would separate this into:
I think it makes sense to differentiate by cross/same tenant and sensitivity of the data. I'm not quite sure about combining them into one, though having 4 different categories might be overkill. Maybe something like this could also work:
Or maybe it's best to just stay with Best, |
I just want to echo @foobar7's concerns. A blanket P3 severity does not work for Preferably, the researcher should be able to set the severity when selecting I also agree that |
With the new update, VRT considers all read-only IDORs P3.
But that's a really broad category of issues. It might be a same-tenant IDOR with semi-sensitive info, in which case P3 is a good fit.
It might also be a cross-tenant IDOR with access to highly sensitive info. Assuming open registration, that's CVSS High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, so imho P3 is too low.
You could add a differentiation regarding same or cross tenant (P3 vs P2 or even P1), but that's still painting with a large brush. This might be a case for
Varies
, where the impact really depends on the data that is leaked.The text was updated successfully, but these errors were encountered: