[Dailydave] Web Hacking and CVSS
dave.aitel at cyxtera.com
Wed Feb 6 14:56:35 UTC 2019
A lot of the trainings at INFILTRATE<http://infiltratecon.com/training/> have sold out (and we are going to be sold out of Tier 2 Tickets soon as well), but one that is not sold out, and yet is my favorite, is the Web Hacking class. The thing we realized a million years ago when we started doing trainings, is that the only thing that works is hands on exercises, so the whole class is basically a guided CTF.
This brings me to CVSS. You may remember from our previous thread that I wondered whether the official examples for CVSS 3.0 could properly, or not, score a vuln via CVSS. The answer is, I think, “No” for two different reasons.
1. You can’t score CVSS for a XSS bug without spending a lot of time understanding the vulnerability, including building a test lab and working through all the details.
2. People misunderstand how to score the criticality of any given XSS because most people do not understand the impact of XSS in general
You can read the original FIRST.org report here<https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937> and then our follow-on blogpost here<https://immunityservices.blogspot.com/2019/02/cvss.html> – feel free to skip to the end. Note that the ACTUAL CVSS 3.0 score for the bug is not 6.1, but 0. But even under the assumptions FIRST.org was making, the value WOULD have been 8, which is a significant difference from what they scored it as. Hopefully they will update their examples page!
I don’t blame them for getting this sort of thing wrong really – the web is complex, which is why we have a whole four day class on it and why I usually sit next to someone the whole time to both help them and learn myself every year. But it also makes you ask the question of whether it is possible to measure technical risk in the way that CVSS claims to do.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave