Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CVSS - 101

Avatar for Shrimant More Shrimant More
October 05, 2024
23
0

CVSS - 101

Avatar for Shrimant More

Shrimant More

October 05, 2024

More Decks by Shrimant More

See All by Shrimant More
Web Application Hacking - ADCET
Avatar for Shrimant More smshrimant
0
30
Importance of Security Tester
Avatar for Shrimant More smshrimant
0
270
Session on Getting Started with Linux
Avatar for Shrimant More smshrimant
0
290
Session on Ethical Hacking
Avatar for Shrimant More smshrimant
0
310

Featured

See All Featured
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
170
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
330
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
7.1k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
27k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
55k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
860
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.6k
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2.3k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
390
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
1k

Transcript

  1. Shrimant More Triage & Community @ HackerOne 101 SMshrimant

  2. The Golden Circle Model Ask Simple Questions

  3. Developer Internal Team Why CVSS BB Hunter Researcher

  4. *Vulnerability Reported *BB Hunter It’s Critical *Dev It’s Low

  5. Different Severity ? Devloper has more understanding of the system

    There is no standard used here

  6. BB Hunter Researcher Source: Concepts Work

  7. Source: Concepts Work Developer Program Team

  8. None

  9. CVSS

  10. The Golden Circle Model Ask Simple Questions What CVSS 3.1

    How This session Why Rate Severity and Chars of Security Vulnerabilites

  11. What is CVSS Versions of CVSS calculators How is severity

    of vulnerability is defined Using CVSS 3.1 calculator Agenda

  12. CVSS Common Vulnerability Scoring System

  13. 2005 The Evolution of CVSS A Timeline Overview CVSS 1.0

    CVSS 2.0 2007 CVSS 3.0 2015 CVSS 3.1 2019 CVSS 4.0 2023 Introduced a common measurement system for vulnerability severity Further refinements included the Scope metric. Improved existing standards Introduced a common measurement system for vulnerability severity Gained widespread adoption, integrated into PCI-DSS.
  14. None
  15. None
  16. None
  17. None

  18. Vulnerable Component Impacted Component

  19. Metric Value Description Network (N) Attacks that can be done

    over the internet (Remotely Exploitable) Adjacent (A) Required to be connected to a company's VPN for exploiting an issue Local (L) User Interaction by another person to perform actions required to exploit the vulnerability Physical (P) Requires the attacker to physically touch or manipulate the vulnerable component Attack Vector (AV)

  20. Metric Value Description Low (L) No Special Conditions Required (IDORs

    where IDs are easily guessable, XSS) Attack Complexity (AC)

  21. Metric Value Description High (H) Successful attack depends on conditions

    beyond the attacker's control (IDORs with unpredictable IDs)

  22. Source:

  23. Metric Value Description None (N) The attacker is unauthorized prior

    to attack, No access required or files of the vulnerable system to carry out an attack. (Self signup available) Low (L) Attacker requires low privileges (Admin invites attacker to their org having Low permissions) High (H) Attacker requires High privileges (Admin invites attacker to their org having High permissions) Privileges Required (PR)

  24. Privileges Required (PR) : None (N)

  25. Source:

  26. Metric Value Description None (N) The vulnerable system can be

    exploited without interaction from any user (IDOR, BAC) Required (R) Requires a user to take some action before the vulnerability can be exploited (XSS, Open Redirect) User Interaction (UI)

  27. Scope ????

  28. Test image

  29. Metric Value Description Unchanged (U) The vulnerable component and the

    impacted component are either the same, or both are managed by the same security authority (IDOR, BAC, Open Redirect, Subdomain Takeover ) Changed (C) The vulnerable component and the impacted component are different and managed by different security authorities. (Stored XSS, Reflected XSS) Scope (S)

  30. Vulnerable Component Impacted Component

  31. Metric Value Description High (H) There is a total loss

    of confidentiality (Information disclosure, IDOR fetches PII details) Low (L) There is some loss of confidentiality (First name, Last name, Email) None (N) There is no loss of confidentiality within the impacted component. Confidentiality (C)

  32. Metric Value Description High (H) There is a total loss

    of integrity (Able to modify all files and details) Low (L) Amount of modification is limited (Able to change First Name, Gender, favourite list) None (N) There is no loss of integrity within the impacted component. Integrity (I)

  33. Metric Value Description High (H) There is a total loss

    of availability, resulting in the attacker being able to fully deny access to resources in the impacted component Low (L) Performance is reduced or there are interruptions in resource availability None (N) There is no impact to availability within the impacted component. Availability (A)

  34. Integrity VS Availability Picture this scenario: You uncover a vulnerability

    that would allow an attacker to delete all files in the web server’s root directory. How would you rate the Availability metric for this vulnerability on the CVSS calculator? High? Low? None?
  35. None