Actual Proofs of Concept

December 2nd, 2007

A proof of concept (POC) has two inter-related parts: first comes the concept, then the proof. The obviousness of this seems to escape some people. After some of the absolute crap I've seen posted this weekend, a quick review seems in order.

  • Concept: The concept is what is being posited. It is the essential idea that is being put forth.
  • Proof: The proof attempts to show that core concept in fact holds for some non-trivial situation. A proof of something only marginally related to the concept is not a proof.

So, if you are attempting to show that a certain construct is vulnerable to persistent cross-site scripting (XSS), do not use a example that demonstrates reflective XSS. And vice versa. If you are attempting to show that some code is vulnerable to reflective XSS, don't use a proof of concept that includes values that could never originate from the user's web-browser.

If you are claiming some defect is a security vulnerability, your POC needs to show both the vulnerability and how it is security related. Not all bugs are security vulnerabilities.

No links because some of these people don't deserve any more credit than they already trying to get.

Enough said.

Posted by gfleischer on 2007/12/02 at 23:53 in Rants
Home
Subscribe
RSS 2.0
Quick Links
Content
Info
Categories
Archives
Sitemap
Valid XHTML 1.0 Transitional Valid CSS!