I was looking through some feeds last week and saw a “Blind SSRF” vulnerability, and it got me thinking about a few vulnerability naming conventions that jostle my fur.
It spawned a tweet series that looked like this:
And then I followed that up with:
My buddy Jason Haddix was one of the only people to reply, which didn’t surprise me.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
So he and I are in agreement, as expected.
So just to clarify and summarize for myself, and outside of Twitter:
Blind to me means that either the request or the response are abstracted from you in some way that makes it non-trivial to create or interpret.
Out-of-band to me means that the response fails to return to you in a clear and obvious way, within the same interface that the attack was sent.
This means (like we’re saying above) Error-based SQL Injection would be “normal”, or in-band. XSS would always be out-of-band, and SSRF would always be blind.
I hope others care about such things. I think arbitrary application of specific, but incorrect, naming causes a lot of confusion in the industry. This is true with testing types, vulnerabilities, and many other things.
Don’t just assign names to things because you think they sound cool. And call it out when you see others doing it.