communicate to developers, and product-managers. not other pentesters
As pentesters, we all have a tendency to use technical jargon only security professionals can understand. Many pentesters fall into this trap. The real target audience like developers, engineers, and product managers find these reports cryptic. For them, the situation is similar to a Doctor's handwriting.
the trap - source: dribbble.com/shots/4948077-Super-Venus-Fly-Brothers
You can get out-of-this trap easily. When you use the following big-words in the report, follow it with a simplified version in the description section or on the appendix section. Please find some examples below:
| jargon | alternative simple versions |
|---|---|
| reflected xss |
temporary front-end javascript injection temporary front-end javascript malware injection temporary front-end javascript malware execution temporary javascript injection temporary malicious javascript injection run-time javascript injection temporary client-side javascript injection |
| stored xss |
permanent front-end javascript injection permanent front-end javascript malware injection front-end javascript injection with attack-code stored in the database front-end javascript injection with database as malware-source front-end malicious javascript injection with database as malware-source front-end javascript malware execution with attack-code stored in the database front-end javascript malware execution with attack-code stored in the file-storage |
| brute force attack | trial and error attack password-guessing attack |
| horizontal privilege escalation | cross-account access attack |
| vertical privilege escalation | access amplification attack |
| session fixation | pre-auth and post-auth cookies are same |
| cross-site request forgery | unintended form submission |
| cross-site request forgery | unintended action attack |
| cross-site request forgery | malicious form submission attack |
| verbose error message | sensitive information leaked in error messages |
| vertical privilege escalation in admin page | non-admin users can access admin page |
| horizontal privilege escalation in edit-profile page | employees can edit profile of other employees |
| server-side request forgery | server proxy attacks |
| insecure deserialization | untrusted data processing malicious data conversion |
| buffer overflow | memory overflow |
| clickjacking | hidden click attack fake click attack ui deception attack click spoofing attack |
| denial of service | service disruption attack traffic flooding attack system overload attack resource exhaustion attack |
| spoofing attack | identitiy faking attack impersonation attack deception attack |
| drive by attack | stealth download attack hidden malware attack silent code attack |
| shoulder surfing | peeking attack screen snooping attack |
| phishing attack | scam message attack fake website attack scam phone-call attack |
| credential stuffing | credential reuse password reuse |
| supply chain attack | vendor compromise attack trusted source sabotage attack third-party breach attack |
| penetration test | cyberattack imitation test cyberattack simulation test |
| vulnerability assessment | security weakness evaluation system flaw analysis cyberattack prevention check |
| rate limiting | web-traffic control web-traffic capping |
| rate limiting | web-traffic control web-traffic capping |
| load balacing | web-traffic distribution |
| proxy server | web mediator |
| regular expression | pattern matching |
| remote code execution | malicious actor can run their code on the back-end server |
| remote command execution | malicious actor can run operating-system commands on the back-end server |
| authentication | identity verification identity check |
| authorization | access control permission check |
| sast scanner | code security checking software |
| sast scanner | code security checking software |
| dast scanner | web-application front-end security checker software |
Our goal here is to reduce the entry-barrier for people to understand the security issues. However, we also should enable them to do their own research. Do not completely replace the currently used, popular terminologies with the new one. It can confuse people, would make performing research difficult (think of a developer trying to find more information about cross-site scripting attacks by searching for 'client-side script injection'), and can defeat our goal.