0x03 - Maximizing Vulns Impact

It sucks when less skilled hackers get paid more than you just because they use fancier words.

Hacking and communication are two different skills.

Here are three ways to easily boost the impact of your vulnerabilities:

  1. Relate to the business - understand what’s the worst it could happen to that application. Is it PII leakage? Is it brand damage? Is it crashing the server during Black Friday sales? Write them down and formulate your findings around these scenarios.

    • It’s not just “IDOR”. It’s “Leaking personal information through public endpoint”

    • It’s not just “Content Spoofing”. It’s “Displaying competitors ads on your application”

    • It’s not just “Denial of Service”. It’s “Blocking users access to the payment provider”

  2. Aim for the worst - often times I see pentesters that don’t exploit their vulnerabilities to the max. They report “HTML Injection” instead of escalating it to XSS, phishing emails or SSRF. An HTML Injection will be rated Informational/Low risk. An XSS, Phishing or SSRF attack is almost always Medium or even High risk based on the outcome. Be creative and exploit the vulnerability to its maximum potential

  3. Chain ‘em all - avoid reporting individual vulnerabilities. Unless you are really lucky, it’s not that often that a single vulnerability can be used for a critical finding. Find as many basic vulnerabilities as possible and list them all. Chain them together to elevate your impact. One medium/high risk has more value than 3-5 low risk