Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging CVE for Web Application Penetration Testing


Published on

Leveraging CVE for Web Application Penetration Testing
Efficient use of the CVE content for WAPT
XORCISM, Burp extension, OWASP ZAP extension, nmap nse script for vulnerability assessment

  • Be the first to comment

Leveraging CVE for Web Application Penetration Testing

  1. 1. Leveraging CVE for Web Application Penetration Testing Jerome Athias March 2014
  2. 2. CVE  Common Vulnerability Enumeration is a repository of security software flaws managed by NIST in the National Vulnerability Database (NVD) as part of SCAP (Security Content Automation Protocol) The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services.  The CVE vulnerability database (60000+ entries) is available as XML feeds  The CVE database is also searchable online
  3. 3. CVE Format  The NVD/CVE data feed is available as XML files using an XML schema  It is available in CVRF (Common Vulnerability Reporting Format) format  NB: CVRF is derived from IETF’s IODEF See also:
  4. 4. CVE Mappings  As part of SCAP, CVE is mapped with various other specifications/standards using multiple languages  Examples: CWE, CVSS, CPE, CCE, OVAL
  5. 5. Other Repositories      
  6. 6. CVE Content  CVE-ID  Description  References  Impact (CVSS)  Configuration (CPEs)
  7. 7. Leveraging CVE content for WAPT  Example: SQL Injection  Interesting (unstructured) information about the URIs, Parameters, Function names in the description: “execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php” “vulnerability in the manage configuration page (adm_config_report.php) … via the filter_config_id parameter” “in portal/addtoapplication.php … via the rssurl parameter”
  8. 8. Extracting juicy information from CVE  Start your regex engine!  CPEs: easy because in CVE in a structured way. Useful for reconnaissance (information gathering, fingerprinting)  Example: nmap nse script
  9. 9. Extracting juicy information from CVE  Default credentials  “has a default password of admin for the admin account” “has a default "ditto" username and password” “Cisco Video Surveillance 4000 IP cameras has hardcoded credentials” “HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890”  Enhance your default credentials database  Do it right: default credentials + CPE
  10. 10. Extracting juicy information from CVE  URIs, parameters, functions  Unfortunately, not structured in CVE  That should be seriously considered (in a CybOX way), let’s do this  Approach: XML parsing, regex, dissector => storage in a database  For the database’s design, use of CybOX HTTP Session Object, URI Object html 
  11. 11. CVE+  In the spirit of IVIL  XORCISM Vulnerability Data Model (XVDM): standardized structured data specification, data normalization, easy bindings
  12. 12. XORCISM Database and Tools  Automatic import (download, parsing, storage) of CVEs into the database  The same for CPE, CWE, etc. ;-) all linked automatically together. DOH!  Remember the default credentials? Guess what… stored there with CPEs dude  What else? well… GHDB? :p  Some beta regex to extract the good stuff and store it in the relevant tables  Easy research: sql queries
  13. 13. DEMO  The Hackenathon
  14. 14. Usage for WAPT  Structured database (automatically updated) for nmap nse scripts (vulnerability scanner). Yes, we scan!  More effective brute force (reliable default credentials attempt first)  “passive”, reliable automated way to find more vulnerabilities, post web proxy discovery  What about live? Hum, let me think.. Burp and ZAP extensions linked to the database?
  15. 15. DEMO  Thriller  Burp extension  ZAP extension  CVE+ and Selenium  Near future: reliable automatic exploitation (because autopwn is noisy)
  16. 16. Questions?  Thank you  Happy Hacking!
  17. 17. Coming soon   Early birds