Difference between revisions of "Talk:Benchmark"

From OWASP
Jump to: navigation, search
(Request headers in XSS attacks: new section)
m (The meaning of the diagonal: follow the meaning of FPR and TPR instead of attributing misunderstood meanings)
Line 1: Line 1:
 
== The meaning of the diagonal ==
 
== The meaning of the diagonal ==
  
I don't think it's fair to call the diagonal line in the FPR/TPR chart a "random guess" line.  The FPR == TPR equation translates to FP/(FP+TN) == TP/(TP+FN), meaning FP*FN == TN*TP, or FP/TP == TN/FN.  The FPR > TPR area below the line does not put the tool into a "worse than guessing" shame list.  The last equation suggests a different interpretation of that area, "the noise rate in reporting suspects exceeds the silence rate about non-issues".   
+
I don't think it's fair to call the diagonal line in the FPR/TPR chart a "random guess" line.  The FPR == TPR equation translates to FP/(FP+TN) == TP/(TP+FN), meaning FP*FN == TN*TP, or FP/TP == TN/FN.  The FPR > TPR area below the line does not put the tool into a "worse than guessing" shame list.  The formulas suggests a different interpretation of that area, "the noise rate in reporting non-issues exceeds the sensitivity about real issues".   
  
 
The "worse than guessing" interpretation seems to come from the following scenario.  We have ''n'' real and ''m'' fake vulnerabilities.  For each of these vulnerabilities let the tool (or a monkey) decide if it is real.  I guess this scenario ignores that the tool does not get the list of these vulnerabilities as its input. --[[User:Eelgheez|Eelgheez]] ([[User talk:Eelgheez|talk]]) 20:24, 13 July 2016 (CDT)
 
The "worse than guessing" interpretation seems to come from the following scenario.  We have ''n'' real and ''m'' fake vulnerabilities.  For each of these vulnerabilities let the tool (or a monkey) decide if it is real.  I guess this scenario ignores that the tool does not get the list of these vulnerabilities as its input. --[[User:Eelgheez|Eelgheez]] ([[User talk:Eelgheez|talk]]) 20:24, 13 July 2016 (CDT)

Revision as of 15:00, 5 August 2016

The meaning of the diagonal

I don't think it's fair to call the diagonal line in the FPR/TPR chart a "random guess" line. The FPR == TPR equation translates to FP/(FP+TN) == TP/(TP+FN), meaning FP*FN == TN*TP, or FP/TP == TN/FN. The FPR > TPR area below the line does not put the tool into a "worse than guessing" shame list. The formulas suggests a different interpretation of that area, "the noise rate in reporting non-issues exceeds the sensitivity about real issues".

The "worse than guessing" interpretation seems to come from the following scenario. We have n real and m fake vulnerabilities. For each of these vulnerabilities let the tool (or a monkey) decide if it is real. I guess this scenario ignores that the tool does not get the list of these vulnerabilities as its input. --Eelgheez (talk) 20:24, 13 July 2016 (CDT)

Request headers in XSS attacks

The Test Case Details tab says that only Referer headers can act as tainted input in XSS scenario. But (a) I doubt it is possible to craft a malicious path hosting the link to a site with the vulnerability and (b) in creating a stored XSS off a page on the attacker site with a crafted javascript, sending malicious values in any header but Referer appears possible (Same Origin Policy will prevent from reading the response but not from sending the request). --Eelgheez (talk) 20:34, 25 July 2016 (CDT)