After performing security assessments for web applications etc. , we come across many high risk findings. Finding a security issue is important but presenting it in a way that even a 10 year old can understand is equally essential skill. The goal is to present the security issue, so that developers can clearly understand the issue and fix it.
In security consulting, this skill is not-negotiable. you must showcase your findings in efficient way. Even high risk findings can not make an impact, if not presented correctly.
So, here are some tips for a good proof of concept. Some of them I remember from a session from Frans Rosen (@fransrosen) at a hackerone event in India.
1. Screenshots must be included for all phases. show case the page where the security issue was present.
2. Consider a scenario, if you will need timestamp in the screenshot.
3. Highlight the vulnerable input fields, URL in which security issue was present.
4. Add details in the screenshot, write which parameter was manipulated, what should have happened and what should have not. Explain them the security impact from this behavior of the web application.
5. If it is a video proof of concept, make is as short as possible. 60 seconds for a proof of concept video should be enough. because the video is to be seen multiple times by multiple teams, we should respect everyone’s time. I recommend creating better PoC because it can be viewed by millions of people on YouTube. 😉
Use video editing tools to increase speed of the video. I prefer using Movavi Video Editor for all such tasks. It’s a great multi purpose software which is easy to use and it is capable of performing all the tasks related to video editing. It is helpful for editing speed of vido, adding subtitles, special effects to a video, splitting the video and export it with any file type. You can also add music to a video to make it more inteesting.
6. If your video contains loading time/ waiting time, make sure that you edit the video and remove such portion.
7. If you wish to explain something, Do not type in notepad while creating proof of concept video. It increases duration of the PoC.
8. Make sure that you do not show unnecessary sensitive information while creating a video poc, not even for a second. Do not open your emails, notes, personal chats etc while creating a video poc.
Here’s a good example of a good proof of concept.
We can add more tips to this list.. write them to email@example.com
We will add the tip with credits. Happy Hacking! 😉
Image Credit: Getty Images
- Crypto-Mining Marketplace NiceHash Fixed a Vulnerability Which Leaked Miners’ Information - January 27, 2019
- How to watch movies via flash drive in Sony Bravia? - July 8, 2018
- How to create a great proof of concept video? - July 8, 2018
- Temporary Solution If You Received Message That Crashed Your iPhone - February 16, 2018
- This Vulnerability in phpMyAdmin Lets An Attacker Perform DROP TABLE With A Single Click! - December 29, 2017