Nines9 wrote:I think there should be a more consistent and reasonable point allocation for Hall of Fame entries..
"Stenoplasma : Found a way to abuse old unused code to login as any user with just his passhash and userid. Proof of concept gave him to get full administrator access on the site." - 25 Points
"leoj : Leoj found an XSS attack in the logic missions. Leoj was able to inject any HTML/JS he wanted." - 50 points
From what I can gather, the XSS that leoj found couldn't have been persistent, yet he got more HoF points than Stenoplasma, who could get admin access to the site.
Another example being Darkcoder and Stenoplasma finding the exact same sort of vulnerability but one was allocated 200 points, the other 250 (500/2 since he found the same thing twice)
Another being where Stenoplasma found two seperate SQL injections, together worth 200 points, while Nauticulus found one worth 300.
Shouldn't there be a more consistent system for allocating points?
TheMindRapist wrote:I think the points partly depend on how much the person who finds them elaborates on how they could possible be used. And for your first example, the code wasn't used so it makes sense it would be less.
Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)
Rijnzael wrote:Nines9 wrote:Pretty sure a CSRF/SQL vulnerability which allows you to add yourself as an Administrator has got to be worth more than an XSS that can only really allow you to view your own injection (non-persistent)
I disagree. CSRF vulnerabilities aren't difficult to find in a site that doesn't have any sort of protection against them. I'd consider vulnerabilities which are harder to execute and find at a much higher tier than CSRF vulnerabilities.
Users browsing this forum: No registered users and 0 guests