Low Severity Vulnerabilities

OK To Defer Low Severity Vulnerabilities?

Not if a black hat hacker can chain multiple low severity vulnerabilities together to create a critical/high severity vulnerability!

We’ve seen several instances of this tactic with our customers recently

  • Simple SSRF or CLRF can be combined with Unsafe serialization to lead to server takeover.
  • Low severity self XSS can be combined with clickjacking leading to account takeover.
  • Login/Logout CSRF, which exists in about 80% of the web apps we test, when combined with XSS affect account can lead to cookie stealing, which can be further exploited to hijack sessions.

Discovery of the chained vulnerability requires manual testing, static/dynamic vulnerability testing is not sufficient.

We offer manual testing very economically with our certified ethical hackers, let us know if you’d like to receive an actual sample report, or for a free 24-hour test of your app.

Request a 24-hour Free Pen Test or actual sample report at security@apptroos.com  so you can see the high quality of our work & reports.