Leveraging CVE for Web Application Penetration Testing


Published on

Leveraging CVE for Web Application Penetration Testing
Efficient use of the CVE content for WAPT
XORCISM, Burp extension, OWASP ZAP extension, nmap nse script for vulnerability assessment

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Leveraging CVE for Web Application Penetration Testing

  1. 1. Leveraging CVE for Web Application Penetration Testing Jerome Athias March 2014
  2. 2. CVE  Common Vulnerability Enumeration is a repository of security software flaws managed by NIST in the National Vulnerability Database (NVD) as part of SCAP (Security Content Automation Protocol) https://nvd.nist.gov/ https://cve.mitre.org/ The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services.  The CVE vulnerability database (60000+ entries) is available as XML feeds https://nvd.nist.gov/download.cfm  The CVE database is also searchable online https://web.nvd.nist.gov/view/vuln/search https://cve.mitre.org/cve/
  3. 3. CVE Format  The NVD/CVE data feed is available as XML files using an XML schema https://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd  It is available in CVRF (Common Vulnerability Reporting Format) format http://www.icasi.org/cvrf  NB: CVRF is derived from IETF’s IODEF http://tools.ietf.org/html/draft-ietfmile-rfc5070-bis-06 See also: https://tools.ietf.org/html/draft-booth-sacm-vuln-model-02
  4. 4. CVE Mappings  As part of SCAP, CVE is mapped with various other specifications/standards using multiple languages  Examples: CWE, CVSS, CPE, CCE, OVAL
  5. 5. Other Repositories  http://www.cvedetails.com/  https://www.scaprepo.com  http://oval.secpod.com  http://osvdb.org/  http://www.exploit-db.com/  https://github.com/athiasjerome/XORCISM
  6. 6. CVE Content  CVE-ID  Description  References  Impact (CVSS)  Configuration (CPEs)
  7. 7. Leveraging CVE content for WAPT  Example: SQL Injection https://cve.mitre.org/cgibin/cvekey.cgi?keyword=sql+injection  Interesting (unstructured) information about the URIs, Parameters, Function names in the description: “execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php” “vulnerability in the manage configuration page (adm_config_report.php) … via the filter_config_id parameter” “in portal/addtoapplication.php … via the rssurl parameter”
  8. 8. Extracting juicy information from CVE  Start your regex engine!  CPEs: easy because in CVE in a structured way. Useful for reconnaissance (information gathering, fingerprinting)  Example: nmap nse script http://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/ http://www.scip.ch/?labs.20130625
  9. 9. Extracting juicy information from CVE  Default credentials  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=default+password “has a default password of admin for the admin account” “has a default "ditto" username and password” “Cisco Video Surveillance 4000 IP cameras has hardcoded credentials” “HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890”  Enhance your default credentials database http://www.cirt.net/passwords http://www.virus.org/default-password/ http://www.routerpasswords.com/  Do it right: default credentials + CPE https://www.security-database.com/dpe.php
  10. 10. Extracting juicy information from CVE  URIs, parameters, functions  Unfortunately, not structured in CVE  That should be seriously considered (in a CybOX way), let’s do this  Approach: XML parsing, regex, dissector => storage in a database  For the database’s design, use of CybOX HTTP Session Object, URI Object http://cybox.mitre.org/language/version2.1/xsddocs/objects/HTTP_Session_Object. html http://cybox.mitre.org/language/version2.1/xsddocs/objects/URI_Object.html 
  11. 11. CVE+  In the spirit of IVILhttp://www.cupfighter.net/index.php/2010/10/ivil-anxml-schema-to-exchange-vulnerability-information/  XORCISM Vulnerability Data Model (XVDM): standardized structured data specification, data normalization, easy bindings https://github.com/athiasjerome/XORCISM
  12. 12. XORCISM Database and Tools  Automatic import (download, parsing, storage) of CVEs into the database  The same for CPE, CWE, etc. ;-) all linked automatically together. DOH!  Remember the default credentials? Guess what… stored there with CPEs dude  What else? well… GHDB? :p  Some beta regex to extract the good stuff and store it in the relevant tables  Easy research: sql queries
  13. 13. DEMO  The Hackenathon
  14. 14. Usage for WAPT  Structured database (automatically updated) for nmap nse scripts (vulnerability scanner). Yes, we scan!  More effective brute force (reliable default credentials attempt first)  “passive”, reliable automated way to find more vulnerabilities, post web proxy discovery  What about live? Hum, let me think.. Burp and ZAP extensions linked to the database?
  15. 15. DEMO  Thriller  Burp extension  ZAP extension  CVE+ and Selenium  Near future: reliable automatic exploitation (because autopwn is noisy)
  16. 16. Questions?  Thank you  Happy Hacking!
  17. 17. Coming soon  http://xorcism.org/  Early birds http://www.frhack.org/research/xorcism.php