What’s the worst that can happen?
I get this question from time to time when reporting a vulnerability. To be honest, the first couple times when asked this question, my mind would go to a very dark place with some absurdity. I can remember replying to one person “You could lose your job, wife, and custody of your kids and we all die in a nuclear holocaust”. Since, I’ve grown up a little bit, though I still need to understand cause and effect and think a couple moves ahead, without all the doom and gloom.
No, no. I’m not thinking of the typical bug bounty reporter BS “This self XSS is a privesc RCE — pay me” type of reporting. When I look for vulnerabilities in a application or system it is to a particular slant — “What are the worst things that could happen to this company and does this software expose those threats?” Or if it’s a piece of software or service that promises X,Y,Z; I aim to bypass those assertions. This kind of thinking can shape how you approach software testing. Not all bugs are created equal. Some people laugh off DoS bugs. To others, 24/7 uptime is a core component of their business model, disrupt that and there is no — business.
So, do yourself a favor. Frame your tests in a manner that aims to discover the worst impact to a business. While popping shells are exciting and getting domain admin proves a point, what could you do without RCE and DA? Find those vulnerabilities and earn your pay.