Current Taxonomy:
P4: Server Security Misconfiguration -> Web Application Firewall (WAF) Bypass -> Direct Server Access
Proposed Enhancement:
P4: Server Security Misconfiguration -> Web Application Firewall (WAF) Bypass -> Direct Server Access
P5: Server Security Misconfiguration -> Web Application Firewall (WAF) Bypass -> Non-Sensitive Data Exposure
While researchers can successfully demonstrate bypassing an applications WAF, it is common that researchers fail to provide evidence of any actually sensitive data exposure that provides access to otherwise sensitive information. This consequently results in the customer rejecting the submission based on this behaviour.
Similarly, while we appreciate that this behaviour does indeed indicate a WAF bypass, as there is no demonstrable impact against the customer, this should be considered as a P5 Informational finding.
Current Taxonomy:
P4:
Server Security Misconfiguration->Web Application Firewall (WAF) Bypass->Direct Server AccessProposed Enhancement:
P4:
Server Security Misconfiguration->Web Application Firewall (WAF) Bypass->Direct Server AccessP5:
Server Security Misconfiguration->Web Application Firewall (WAF) Bypass->Non-Sensitive Data ExposureWhile researchers can successfully demonstrate bypassing an applications WAF, it is common that researchers fail to provide evidence of any actually sensitive data exposure that provides access to otherwise sensitive information. This consequently results in the customer rejecting the submission based on this behaviour.
Similarly, while we appreciate that this behaviour does indeed indicate a WAF bypass, as there is no demonstrable impact against the customer, this should be considered as a P5 Informational finding.