Vulnerability Research

Vulnerabilities 101

Main Categories

vulnerabilitydescription
Operating SystemThese types of vulnerabilities are found within Operating Systems (OSs) and often result in privilege escalation.
(Mis)Configuration-basedThese types of vulnerability stem from an incorrectly configured application or service. For example, a website exposing customer details.
Weak or Default CredentialsApplications and services that have an element of authentication will come with default credentials when installed. For example, an administrator dashboard may have the username and password of “admin”. These are easy to guess by an attacker.
Application LogicThese vulnerabilities are a result of poorly designed applications. For example, poorly implemented authentication mechanisms that may result in an attacker being able to impersonate a user.
Human-FactorHuman-Factor vulnerabilities are vulnerabilities that leverage human behaviour. For example, phishing emails are designed to trick humans into believing they are legitimate.

Scoring Vulnerabilities - CVSS and VPR

  • CVSS - Common Vulnerability Scoring System
    • some factors
      • How easy is it to exploit the vulnerability?
      • Do exploits exist for this?
      • How does this vulnerability interfere with the CIA triad?
    • severity, calculared using calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
      • 0: none
      • 0.1–3.9: low
      • 4.0-6.9: medium
      • 7.0-8.9: high
      • 9.0-10: critical
    • not designed to help prioritizing, instead just assign severity
    • score relies heavily on exploit being available
  • VPR - Vulnerability Priority Rating
    • risk driven framework
    • vulnerabilities given score with heavy focus on risk a vulnerability poses to organisation itself, rather than factors such as impact
    • different scoring system to CVSS
    • scoring table
      • 0-3.9: low
      • 4.0-6.9: medium
      • 7.0-8.9: high
      • 9.0-10.0: critical
    • not open source

Vulnerability Databases

  • NVD
    • CVE-YEAR-NUMMBER
    • helps keep track of new vulnerabilities
  • Exploit-DB https://www.exploit-db.com/
    • retains exploits for vulnerabilities
    • database of PoC

Exploit Vulnerabilities

Findung Manual Exploits

  • Rapid7
    • filter by type of vulnerability
    • application, operating system simplsasdaaa.
  • Searchsploit
    • offline copy of exploit-db
    • search by application name and or vulnerability type
    • searchploit <search terms>
    • searchsplot -m <identifiers or full paths> copy files corresponding to vulnerability to current folder
Last modified 2023.10.20