Vulnerability Scanning
This chapter is from the book
This chapter is from the book
This chapter is from the book
The first and most important thing to understand is that vulnerability scanning is not penetration testing. It is amazing how many people think the two are one in the same; however, it would be a mistake to assume they are not related. Most companies will perform both vulnerability scanning and penetration testing. And as a penetration tester, using vulnerability scanning can help you focus your penetration testing efforts.
So, what exactly is vulnerability scanning? It is using tools to scan for known issues. In other words, there are a variety of tools available which will scan your system, network, or website, and check them for documented vulnerabilities. For a penetration tester, this is just the first step. Once you have identified vulnerabilities, you then can attempt to exploit them. This chapter is going to discuss several widely used tools.
Vulnerabilities
Vulnerability scanners scan systems for known vulnerabilities. That may seem absurdly obvious. But the question becomes, how do the vendors of such tools know about vulnerabilities? There are some repositories where vulnerabilities are documented. These are referenced by various tools to know what to look for. You should be familiar with these.
CVE
Common Vulnerabilities and Exposures (CVE) is a list maintained by the Mitre corporation at https://cve.mitre.org/. It is perhaps the most comprehensive vulnerability list. The CVE was designed to provide a common name and description for a vulnerability. This allows security professionals to communicate effectively about vulnerabilities. CVEs had originally been designated by a CVE ID in the format of CVE-YYYY-NNNN. This format only allows 9,999 unique identifiers per year. The new format is CVE prefix + Year + Arbitrary Digits and allows for any number of digits.
An example CVE is CVE-2017-8541, the description of which is quoted here:
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka “Microsoft Malware Protection Engine Remote Code Execution Vulnerability”, a different vulnerability than CVE-2017-8538 and CVE-2017-8540.
NIST
The United States National Institute of Standards maintains a database of vulnerabilities, which you can access at https://nvd.nist.gov/. NIST also uses the CVE format. For example, CVE-2016-0217 is described as follows:
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
OWASP
The Open Web Application Security Project is the standard for web application security. They publish a number of important documents. For our current purposes, the most important is their Top 10 list. Every few years they publish a Top 10 web application vulnerabilities list. This list contains the actual vulnerabilities most frequently found in web applications. From a penetration testing perspective, not testing for these would be negligent. What is most disturbing for a security professional is how little this lists changes over the years. The list is publicly available, and as we will see later in this chapter there are free tools to test for these vulnerabilities, but many websites still have them. You can see a comparison of the 2010 and 2013 lists in Figure 8-1.
)
FIGURE 8-1 OWASP Top 10 List.
As of this writing, the 2017 list is not finalized. But a tentative list is given here:
A1 Injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 XML External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross-Site Scripting (XSS)
A8 Insecure Deserialization
A9 Using Components with Known Vulnerabilities
A10 Insufficient Logging and Monitoring
What should surprise you is that many of the vulnerabilities have stayed in the top 10 from year to year. Keep in mind that these lists are lists of actual vulnerabilities found in the real world. These are not theoretical. What that means is that year after year web developers keep making the exact same mistakes.
