During an assessment, a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web servers. Which of the following actions should the penetration tester perform next?
When a penetration tester discovers a significant vulnerability such as a web component that allows file uploads without any authentication requirements, it poses an immediate and severe security risk. Notifying the primary contact immediately is critical to ensure that the organization is aware of the vulnerability and can take swift action to mitigate the risk. This approach prioritizes the security of the organization's systems and data, and it allows the appropriate personnel to assess the situation and decide on the best course of action.
When a penetration tester discovers a significant vulnerability such as a web component that allows file uploads without any authentication requirements, it poses an immediate and severe security risk. Notifying the primary contact immediately is critical to ensure that the organization is aware of the vulnerability and can take swift action to mitigate the risk. This approach prioritizes the security of the organization's systems and data, and it allows the appropriate personnel to assess the situation and decide on the best course of action, such as temporary remediation or further investigation.
C. Notify the primary contact immediately: This is the most appropriate action. The primary contact needs to be informed about this significant security risk as soon as possible so that they can take immediate action to mitigate the risk. • A. Continue the assessment and mark the finding as critical: While it is important to continue the assessment and document the finding as critical, immediate notification is necessary due to the high risk involved. • B. Attempt to remediate the issue temporarily: The penetration tester’s role typically does not involve making changes or remediating issues on the client’s systems without prior approval. • D. Shut down the web server until the assessment is finished: Shutting down the server is an extreme measure that should only be taken by the client or with the client’s explicit authorization.
see PMann's comment
Since it’s not currently being exploited, should be documented at critical for the report and moved on in the test.
correct