leveraging cve for web application penetration testing
DESCRIPTION
Leveraging CVE for Web Application Penetration Testing Efficient use of the CVE content for WAPT XORCISM, Burp extension, OWASP ZAP extension, nmap nse script for vulnerability assessmentTRANSCRIPT
Leveraging CVE for Web Application Penetration Testing
Jerome AthiasMarch 2014
CVE Common Vulnerability Enumeration is a repository of security software flaws managed
by NIST in the National Vulnerability Database (NVD) as part of SCAP (Security Content Automation Protocol) https://nvd.nist.gov/https://cve.mitre.org/
The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services.
The CVE vulnerability database (60000+ entries) is available as XML feedshttps://nvd.nist.gov/download.cfm
The CVE database is also searchable online https://web.nvd.nist.gov/view/vuln/searchhttps://cve.mitre.org/cve/
CVE Format The NVD/CVE data feed is available as XML files using an XML schema
https://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd
It is available in CVRF (Common Vulnerability Reporting Format) formathttp://www.icasi.org/cvrf
NB: CVRF is derived from IETF’s IODEF http://tools.ietf.org/html/draft-ietf-mile-rfc5070-bis-06See also: https://tools.ietf.org/html/draft-booth-sacm-vuln-model-02
CVE Mappings As part of SCAP, CVE is mapped with various other specifications/standards
using multiple languages
Examples: CWE, CVSS, CPE, CCE, OVAL
Other Repositories http://www.cvedetails.com/
https://www.scaprepo.com
http://oval.secpod.com
http://osvdb.org/
http://www.exploit-db.com/
https://github.com/athiasjerome/XORCISM
CVE Content CVE-ID
Description
References
Impact (CVSS)
Configuration (CPEs)
Leveraging CVE content for WAPT Example: SQL Injection
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sql+injection
Interesting (unstructured) information about the URIs, Parameters, Function names in the description:“execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php”
“vulnerability in the manage configuration page (adm_config_report.php) … via the filter_config_id parameter”
“in portal/addtoapplication.php … via the rssurl parameter”
Extracting juicy information from CVE Start your regex engine!
CPEs: easy because in CVE in a structured way. Useful for reconnaissance (information gathering, fingerprinting)
Example: nmap nse script
http://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
http://www.scip.ch/?labs.20130625
Extracting juicy information from CVE Default credentials
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=default+password“has a default password of admin for the admin account”
“has a default "ditto" username and password”
“Cisco Video Surveillance 4000 IP cameras has hardcoded credentials”
“HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890”
Enhance your default credentials databasehttp://www.cirt.net/passwords
http://www.virus.org/default-password/
http://www.routerpasswords.com/
Do it right: default credentials + CPEhttps://www.security-database.com/dpe.php
Extracting juicy information from CVE URIs, parameters, functions
Unfortunately, not structured in CVE That should be seriously considered (in a CybOX way), let’s do this
Approach: XML parsing, regex, dissector => storage in a database For the database’s design, use of CybOX HTTP Session Object, URI Object
http://cybox.mitre.org/language/version2.1/xsddocs/objects/HTTP_Session_Object.html
http://cybox.mitre.org/language/version2.1/xsddocs/objects/URI_Object.html
CVE+ In the spirit of IVILhttp
://www.cupfighter.net/index.php/2010/10/ivil-an-xml-schema-to-exchange-vulnerability-information/
XORCISM Vulnerability Data Model (XVDM): standardized structured data specification, data normalization, easy bindingshttps://github.com/athiasjerome/XORCISM
XORCISM Database and Tools Automatic import (download, parsing, storage) of CVEs into the database
The same for CPE, CWE, etc. ;-) all linked automatically together. DOH!
Remember the default credentials? Guess what… stored there with CPEs dude
What else? well… GHDB? :p
Some beta regex to extract the good stuff and store it in the relevant tables
Easy research: sql queries
DEMO The Hackenathon
Usage for WAPT Structured database (automatically updated) for nmap nse scripts
(vulnerability scanner). Yes, we scan!
More effective brute force (reliable default credentials attempt first)
“passive”, reliable automated way to find more vulnerabilities, post web proxy discovery
What about live? Hum, let me think.. Burp and ZAP extensions linked to the database?
DEMO Thriller
Burp extension
ZAP extension
CVE+ and Selenium
Near future: reliable automatic exploitation (because autopwn is noisy)
Questions? Thank you
Happy Hacking!
Coming soon http://xorcism.org/
Early birds http://www.frhack.org/research/xorcism.php