Proof of Concept
Posted by jericho
PoC aka ‘Proof of Concept’. Please, stop and read those words.. actually think about what it means. The term was originally used to label code that demonstrated that a concept or idea was actually valid. ResearcherX would say that SoftwareY contained an exploitable overflow in FunctionZ. Since code can be tricky and input sanitized in a number of places, the researcher would write up exploit code that demonstrated and proved (the ‘proof’ in PoC) his concept was actually valid. This was working code that at least demonstrated a segfault, denial of service, or actually run an arbitrary (even harmless) command.
These days, PoC is a stupid catch phrase used to label any URL that supposedly demonstrates an exploit. Researcher1 finds a cross-site scripting vulnerability in SoftwareY and releases the following PoC:
http://[target]/[path]/index.html?foo=[CODE]
That does not prove your concept. That does not prove there is a vulnerability. That does not necessarily let anyone else figure out how to exploit it short of full source code analysis. Yes, most XSS vulnerabilities are trivial to reproduce, especially with a cross site scripting cheat sheet out there. However, some XSS vulnerabilities may take some tricky encoding, restrict specific types of characters, or otherwise make exploitation difficult. Assuming that 99% of the XSS vulnerabilities disclosed are trivial to replicate, i’ll concede the above as a proof of concept. That said, the next time you find yourself typing this:
http://[target]/[path]/index.html?foo=[SQL]
Please, don’t bother. Just because you pasted a ’ character into the application and saw some pretty SQL error syntax doesn’t mean it is vulnerable to SQL injection. If you are going to use “PoC” anywhere in your “advisory”, prove your claim it is vulnerable. With the amount of vendor disputed vulnerabilities, it is the least you can do if you want anyone to take you seriously.
So you’re suggesting that I go far enough to actually penetrate someone else’s box in order to prove the vuln, eh? :)
I think that almost time of “PoC`s” is over … maybe 2-4 years ago there was more of them , ok but thats not a point … At those days there is only some “PoC`s”… …in my case i did also alot of mistakes , but about proof of concept even in XSS , sometimes that PoC isnt usable for an attacker , but for developer , who says : ” I did as you say mysite.com/app/index.jsp?dir=[XSS] and i dont see vuln. ” Also for researchers/web-publishers who collect and manage reported information by someone else sometimes that simple examples or as you say “PoC`s” can spare time. In your points you are right , but i dont think that blog readers need to know what means “PoC”… take care.
I certainly don’t mean penetrating another person’s system to prove the point. But setting the software up on your local system or even demonstrating the vulnerability on the vendor’s demo site (with permission) seems a good middle ground.