We ran into a scenario where we had to make a detailed description explaining what proof of concepts are, so pretty much a proof of concept explaining proof of concepts. We also wrote out the different types of proof of concept and what most companies expect you to provide them. While everyone here most likely knows what a proof of concept is and what companies expect, not everyone does.
To me a PoC is more than even this and it is inexplicably tied to writing a good vulnerability/bug report. To me the goals of a PoC are to communicate the risk/impact of the bug by exploiting said bug in a limited fashion, and providing the client with resources to reproduce and understand the bug themselves:
Report and PoC tips:
Write a detailed but easy to understand description of the
Write a detailed but easy to understand threat scenario or impact
Provide a visual representation of your workflow to exploit
vulnerability. This can be screenshots or video.
Limit any exploitation to benign methods, i.e. if SQL injection, maybe
just echo out the DB name or user name, instead of dumping the
systems password hashes. If it’s a binary, pop calc.exe, etc
Provide a method to prove the vulnerability that is usable by a
normally skilled IT professional. PoC code or tools can be Curl
commands, python scripts, links, etc.
Provide a listing of tools used in the research, including log files
or state files.
Arm the client with references: any bogs/write-ups that helped you discover the bug/vuln, CVSS scores, OWASP references etc.
just my 2c
I’d be interested in @kymberlee 's thoughts here, she was involved in managing some of the largest vuln disclosure programs known to date (Microsoft, Blackberry, ++)
We totally agree that writing a proof of concept is quite different then explaining what a proof of concept is to someone who isn’t tech savvy. We ran into a situation where we had to make it really, really easy for someone to understand what a proof of concept is so we could make proof of concepts.
I’m totally agree with your opinions. It hard for me to find a good company here where they actually demonstrate the clear proof of concept in order to determine the risk/impact of a certain vulnerability.
Most of them just ran the scanner and give the result as it is without justifying the severity and identify any false positive issues. To make the report ‘safe’, the words such as ‘probability to’ , ‘could to’, ‘might be’ always being used in the technical report which is in my opinion is not a Penetration Testing, that is just more a VA.
the link was dead friend,kindly update the new link