Vulnerability Research

Go back to Tutorial

Vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Hackers often rely on is the exploit techniques pioneered and shared by security researchers and people in the computer underground.

Techniques Employed

  • If they have source code, they can grep for vulnerable constructs like gets(), or look for unsanitized user input or environment variables (e.g. shellshock). If they don’t have source code, they can use techniques like fuzzing – randomly generating user input and seeing if the program crashes with a segment violation. That may indicate a write to a code location, in which case it may be possible to inject exploit code in place of the random bytes.
  • Vulnerability assessment – System is analyzed what are the places in which the possible attacks can be done and all the ways noted down.
  • Penetration testing – Where the vulnerability is exploited. In this some useful information is retrieved from exploiting the system, this is the kind of information which should not be gone out without proper permission.
  • Make use of honeynets
  • Check for common issues like SQL Injection, XSS,etc
  • Wait for an incident report

Reference Websites

Newer attack techniques are updated on security websites, as listed below

  • The Metasploit Project: This Web site, written by security luminaries including H.D. Moore and the researcher known as Skape, not only distributes one of the most powerful free exploitation tools available today, but also hosts blog-like Metasploit news that describes some of the latest security research focused on exploiting all kinds of machines, including Windows, Linux and even Apple’s iPhone.
  • Secunia: Secunia is a company dedicated to providing its clients, as well as the public, with intelligence about the latest vulnerabilities in computer systems. Its free summaries of recently discovered flaws are among the most up-to-date anywhere, providing solid details about mitigating flaws if such defenses are available. One of the best aspects of Secunia’s vulnerability lists is its freshness. Whenever I hear about a new vulnerability, I almost always check to see if Secunia has published any information. Quite often, it already has a write-up with lots of fascinating details. It’s important to note that Secunia publishes information about vulnerabilities, but doesn’t distribute exploitation code to take advantage of flaws.
  • The French Security Incident Response Team: Like Secunia, this site contains detailed information about the latest vulnerabilities. An independent and privately held vulnerability research firm, FrSIRT offers free information about the latest flaws via its Web site, where it also sells commercial vulnerability alert services with more flexible notification, search and alert options.
  • Milw0rm: Unlike Secunia, the Milw0rm Web site distributes exploitation code. Every day, exploits for between one and a dozen or more vulnerabilities are published on Milw0rm, which freely distributes the code. The site categorizes each exploit, separating remote exploits, local privilege-escalation attacks, Web application exploits and denial-of-service attacks. Some of Milw0rm’s code is merely proof-of-concept (often called “PoC” in the slang of the computer underground), showing that a vulnerability exists by crashing a service or writing a file, but not giving the attacker control of the target machine. Other Milw0rm code provides a full-blown exploit for the vulnerability, letting an attacker use it to compromise and control a target machine.
  • Packetstorm Security: While Milw0rm focuses on exploit code, Packetstorm Security has a broader appeal, with offensive and defensive security tools, late-breaking research papers, news stories and exploit code. One of the most interesting features of Packetstorm is its vast archive of attack tools and exploit code ranging back more than a decade. It also includes a huge collection of several dozen online hacking magazines. This comprehensive archive is really helpful, because the individual hacking magazine Web sites are often quite ephemeral, frequently disappearing or moving to other servers without any notice.
  • The SANS Internet Storm Center: This site contains content written by volunteers or “handlers,” each of whom takes approximately one 24-hour shift per month, monitoring information about computer attacks and writing a daily diary. With a lively and interactive readership of tens of thousands who report the attacks and anomalous activity they experience on their networks, the Internet Storm Center often gets wind of a major computer attack before other organizations, sometimes detecting new attack techniques and summarizing them for the public before companies offering commercial alerting services do.
  • Offensive Computing: The Offensive Computing site, operated by Danny Quist and the researcher known as Valsmith, provides keen insight into the latest malware tactics. By collecting (and distributing) samples of malicious code found in the wild, this site is dedicated to learning more about malware by sharing information among researchers. A community of malware researchers shares information via this site, with frequent write-ups that include awesome tips on in-depth analysis techniques.
  • org: No such list would be complete without this site, the flagship site of the Nmap scanning tool. Written and maintained by the well-known researcher who goes by the name Fyodor, Nmap has pioneered some incredibly powerful port-scanning features. And with its recently added Nmap Scripting Engine, Nmap is growing into a very useful general-purpose vulnerability-scanning tool with possibilities of bundling in exploitation functionality.

Go back to Tutorial

Get industry recognized certification – Contact us

Menu