Cenzic 232 Patent
Paid Advertising
web application security lab

Death By 1000 Cuts - Web Application Security Case Study

A month or so ago I was contracted to do a black box security assessment for a company. I was pretty crippled in the type of assessment I was allowed to do - no network scans, no DoS, no OS/router/switch/firewall hacking, etc… The company just wanted a straight black box web application security assessment. I began to find many security issues, but almost all of them were either low or medium severity. Finally the issues began to compound into an very serious opportunity to compromise the website.

This prompted me to write a case-study that I called Death by 1000 Cuts of how a series of what is normally considered minor (information disclosure issues) to medium level (things like XSS) security flaws turned into a nasty issue that was allowed me to gain a level of access that absolutely should not have been allowed.

Long term I’ll probably turn this into a talk, but adding a lot of other elements about how this could go much further, given other issues upon further review, including intranet scanning. But for now I thought I’d share it so everyone can see how it occurred. This is a good lesson to companies who balk at lower level security issues and could prove to be a useful tool to help them recognize why they must close as many security issues as possible, no matter how small.

8 Responses to “Death By 1000 Cuts - Web Application Security Case Study”

  1. Luny Says:

    Nice write up. Hopefully small timed companies or those who don’t take low lvl sec issues seriously will think differently now
    Its also nice to use as a companion as to what someone can do when testing for a company, such as you did.

  2. RSnake Says:

    Thanks, Luny, I appreciate it!

  3. Kyran Says:

    This is excellent! This is a good case-study proving what we have known/thought we knew all along. Social Engineering and a handful of tiny overlooked exploits can go a LONG way. It seems in web app sec, any security issue, is a huge issue.

  4. Christian Matthies Says:

    Great article rsnake. This makes the difference between a two-month-self-claimed security professional and one who actually is. (Well, okay what you did wasn’t that difficult but I think everyone knows what I mean in this case.)

    Strangely a lot of people aren’t aware of the fact that all kinds of attack start with collecting useful information and they don’t even know what can be useful for an attacker. This is what your article pointed out, perfectly well.

  5. inc - (v-wall staff) Says:

    At a glance looks like a nice read, think i will print it off and read it over sunday dinner. Like the title “Death by 1000 Cuts” im sure a chapter in “Stealing the Network: How to own an identity” is called by the same name.


  6. dusoft Says:

    Thanks you, RSnake. Now other users will be able to do basic security testing copied from you.

  7. RSnake Says:

    Thank you all, I appreciate the comments. I just really felt like the little issues weren’t getting any center stage, but they turned out to be one of the nastiest things in the final analysis of the vulnerabilities I did find. There were other bad issues, like I could purchase anything I want as long as I used a test credit card number, ( http://ha.ckers.org/blog/20060605/vulnerable-credit-card-applications/ ) but those were the more obvious issues, and anyone can see why those are bad. It’s the little ones that are too often overlooked.

  8. Bastion » Unconventional Warfare Says:

    […] Consider this blog post. Be sure to read the case study. […]