Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CVSS - 101

Shrimant More
October 05, 2024
0
4

CVSS - 101

Shrimant More

October 05, 2024
Tweet

More Decks by Shrimant More

See All by Shrimant More
Web Application Hacking - ADCET
smshrimant
0
10
Importance of Security Tester
smshrimant
0
250
Session on Getting Started with Linux
smshrimant
0
260
Session on Ethical Hacking
smshrimant
0
280

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
40
2.4k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Facilitating Awesome Meetings
lara
50
6.1k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Why Our Code Smells
bkeepers
PRO
334
57k
What's in a price? How to price your products and services
michaelherold
243
12k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
We Have a Design System, Now What?
morganepeng
50
7.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Site-Speed That Sticks
csswizardry
0
28
Faster Mobile Websites
deanohume
305
30k

Transcript

  1. Shrimant More Triage & Community @ HackerOne 101 SMshrimant

  2. The Golden Circle Model Ask Simple Questions

  3. Developer Internal Team Why CVSS BB Hunter Researcher

  4. *Vulnerability Reported *BB Hunter It’s Critical *Dev It’s Low

  5. Different Severity ? Devloper has more understanding of the system

    There is no standard used here

  6. BB Hunter Researcher Source: Concepts Work

  7. Source: Concepts Work Developer Program Team

  8. None

  9. CVSS

  10. The Golden Circle Model Ask Simple Questions What CVSS 3.1

    How This session Why Rate Severity and Chars of Security Vulnerabilites

  11. What is CVSS Versions of CVSS calculators How is severity

    of vulnerability is defined Using CVSS 3.1 calculator Agenda

  12. CVSS Common Vulnerability Scoring System

  13. 2005 The Evolution of CVSS A Timeline Overview CVSS 1.0

    CVSS 2.0 2007 CVSS 3.0 2015 CVSS 3.1 2019 CVSS 4.0 2023 Introduced a common measurement system for vulnerability severity Further refinements included the Scope metric. Improved existing standards Introduced a common measurement system for vulnerability severity Gained widespread adoption, integrated into PCI-DSS.
  14. None
  15. None
  16. None
  17. None

  18. Vulnerable Component Impacted Component

  19. Metric Value Description Network (N) Attacks that can be done

    over the internet (Remotely Exploitable) Adjacent (A) Required to be connected to a company's VPN for exploiting an issue Local (L) User Interaction by another person to perform actions required to exploit the vulnerability Physical (P) Requires the attacker to physically touch or manipulate the vulnerable component Attack Vector (AV)

  20. Metric Value Description Low (L) No Special Conditions Required (IDORs

    where IDs are easily guessable, XSS) Attack Complexity (AC)

  21. Metric Value Description High (H) Successful attack depends on conditions

    beyond the attacker's control (IDORs with unpredictable IDs)

  22. Source:

  23. Metric Value Description None (N) The attacker is unauthorized prior

    to attack, No access required or files of the vulnerable system to carry out an attack. (Self signup available) Low (L) Attacker requires low privileges (Admin invites attacker to their org having Low permissions) High (H) Attacker requires High privileges (Admin invites attacker to their org having High permissions) Privileges Required (PR)

  24. Privileges Required (PR) : None (N)

  25. Source:

  26. Metric Value Description None (N) The vulnerable system can be

    exploited without interaction from any user (IDOR, BAC) Required (R) Requires a user to take some action before the vulnerability can be exploited (XSS, Open Redirect) User Interaction (UI)

  27. Scope ????

  28. Test image

  29. Metric Value Description Unchanged (U) The vulnerable component and the

    impacted component are either the same, or both are managed by the same security authority (IDOR, BAC, Open Redirect, Subdomain Takeover ) Changed (C) The vulnerable component and the impacted component are different and managed by different security authorities. (Stored XSS, Reflected XSS) Scope (S)

  30. Vulnerable Component Impacted Component

  31. Metric Value Description High (H) There is a total loss

    of confidentiality (Information disclosure, IDOR fetches PII details) Low (L) There is some loss of confidentiality (First name, Last name, Email) None (N) There is no loss of confidentiality within the impacted component. Confidentiality (C)

  32. Metric Value Description High (H) There is a total loss

    of integrity (Able to modify all files and details) Low (L) Amount of modification is limited (Able to change First Name, Gender, favourite list) None (N) There is no loss of integrity within the impacted component. Integrity (I)

  33. Metric Value Description High (H) There is a total loss

    of availability, resulting in the attacker being able to fully deny access to resources in the impacted component Low (L) Performance is reduced or there are interruptions in resource availability None (N) There is no impact to availability within the impacted component. Availability (A)

  34. Integrity VS Availability Picture this scenario: You uncover a vulnerability

    that would allow an attacker to delete all files in the web server’s root directory. How would you rate the Availability metric for this vulnerability on the CVSS calculator? High? Low? None?
  35. None