Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Web Hacking and CVSS

From: Dave Aitel <dave.aitel () cyxtera com>
Date: Wed, 6 Feb 2019 14:56:35 +0000
A lot of the trainings at INFILTRATE<http://infiltratecon.com/training/> have sold out (and we are going to be sold out 
of Tier 2 Tickets soon as well), but one that is not sold out, and yet is my favorite, is the Web Hacking class. The 
thing we realized a million years ago when we started doing trainings, is that the only thing that works is hands on 
exercises, so the whole class is basically a guided CTF.

This brings me to CVSS. You may remember from our previous thread that I wondered whether the official examples for 
CVSS 3.0 could properly, or not, score a vuln via CVSS. The answer is, I think, “No” for two different reasons.

  1.  You can’t score CVSS for a XSS bug without spending a lot of time understanding the vulnerability, including 
building a test lab and working through all the details.
  2.  People misunderstand how to score the criticality of any given XSS because most people do not understand the 
impact of XSS in general

You can read the original FIRST.org report 
here<https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937> and 
then our follow-on blogpost here<https://immunityservices.blogspot.com/2019/02/cvss.html> – feel free to skip to the 
end. Note that the ACTUAL CVSS 3.0 score for the bug is not 6.1, but 0. But even under the assumptions FIRST.org was 
making, the value WOULD have been 8, which is a significant difference from what they scored it as. Hopefully they will 
update their examples page!

I don’t blame them for getting this sort of thing wrong really – the web is complex, which is why we have a whole four 
day class on it and why I usually sit next to someone the whole time to both help them and learn myself every year. But 
it also makes you ask the question of whether it is possible to measure technical risk in the way that CVSS claims to 
do.

-dave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: