Day 051 #FromZeroToHacker - Vulnerabilities 101

A vulnerability is a weakness or flaw in the design, implementation and/or behaviour of a system or application that an attacker can exploit to gain access to unauthorised information or perform unauthorised actions.

Many factors contribute to this: Poor design of an application, an oversight of the intended actions of a user, etc.

We can classify vulnerabilities into five groups or categories:

Scoring Vulnerabilities (CVSS & VPR)

Vulnerability management is the process of evaluating, categorising and ultimately fixing threats within an organisation. Despite this, it is impossible to patch and fix every single vulnerability in a network or system, and sometimes is even a waste of resources as only 2% of vulnerabilities are exploited.

This is where vulnerability scoring comes to play: We create a list of risks based on their potential and impact, so we can prioritise fixing them based on this rating. The popular Common Vulnerability Scoring System (CVSS) awards points to a vulnerability based on its features, availability, and reproducibility.

This is not the only method we can use, so let’s explore both of the most used ones:

Common Vulnerability Scoring System (CVSS)

Introduced in 2005, CVSS is a very popular framework for vulnerability scoring. It is pretty simple, and the score of a vulnerability is determined by three main factors:

How easy is it to exploit the vulnerability?
Do exploits exist for this?
How does this vulnerability interfere with the CIA triad?

Depending on its score, it may fall on one of these rating levels:

Vulnerability Priority Rating (VPR)

The VPR framework is a much more modern framework. This framework is considered to be risk-driven: The vulnerabilities are given a score with a heavy focus on the risk a vulnerability poses to the organisation, instead of other factors such as impact (like CVSS does).

VPR scoring, instead, takes into account the relevancy of a vulnerability. If that vulnerability does not apply to the organisation, no risk is considered. VPR scoring is dynamic, and the score of a vulnerability may change periodically.

VPR, as CVSS, has a scoring rating for vulnerabilities:

Vulnerability Databases

We will find different types of applications and services during our pentester life. Luckily, there are resources on the Internet that keep track of vulnerabilities. Let’s familiarise ourselves with two of those vulnerability databases:

NVD (National Vulnerability Database)

The NVD is a website that lists all categorised vulnerabilities. Vulnerabilities are classified under Common Vulnerabilities and Exposures or CVE.

CVEs use the format of CVE-<YEAR>-<IDNUMBER>.

NVD allows us to see all the CVEs confirmed and even has filters (by category, the month of submission, etc). For example:

While NVD keeps track of new vulnerabilities, is not a good option when searching for vulnerabilities for a specific scenario.

Exploit-DB

Exploit-DB is a great resource for hackers. Exploit-DB contains exploits for software and applications stored under the name, author, and version of the software.

An example of finding a vulnerability

Here, as an example, we are going to leverage the Version disclosure vulnerability.

Applications and software usually have a version number:

With this information, go to Exploit-DB and search for Apache Tomcat 9.0.17:

Now we have 5 exploits that may be useful in this specific scenario.

Summary

In this lesson, we have been introduced to:

What vulnerabilities are.
Why they are worthy of learning about.
How are vulnerabilities rated.
Databases for vulnerabilities research.
A showcase of how vulnerability research works

Stats

From 82.639th to 81.508th. Still at the top 4%!

Here is also the Skill Matrix:

Let's learn about

Tutorials and learning resources for programmers

Day 051 #FromZeroToHacker – Vulnerabilities 101

Introduction to Vulnerabilities 101

What have I learnt today?

Introduction to vulnerabilities