A month or so ago I was contracted to do a black box security assessment for a company. I was pretty crippled in the type of assessment I was allowed to do - no network scans, no DoS, no OS/router/switch/firewall hacking, etc… The company just wanted a straight black box web application security assessment. I began to find many security issues, but almost all of them were either low or medium severity. Finally the issues began to compound into an very serious opportunity to compromise the website.
This prompted me to write a case-study that I called Death by 1000 Cuts of how a series of what is normally considered minor (information disclosure issues) to medium level (things like XSS) security flaws turned into a nasty issue that was allowed me to gain a level of access that absolutely should not have been allowed.
Long term I’ll probably turn this into a talk, but adding a lot of other elements about how this could go much further, given other issues upon further review, including intranet scanning. But for now I thought I’d share it so everyone can see how it occurred. This is a good lesson to companies who balk at lower level security issues and could prove to be a useful tool to help them recognize why they must close as many security issues as possible, no matter how small.