Add to collection(s) Add to saved
  1. No category
Uploaded by Anthony Rose

How I Was Bored Many Nights and Found a Bunch of CVEs.pptx

advertisement 
How I Was Bored One Many
Nights and Found Two a Bunch
of CVEs
Hacking the Hiring Process by Pentesting FOSS Applications
The Wild West Hacking Fest Version
Joe Helle
Red Team Lead
TCM Security
Who Am I?
• Army Iraq and Afghanistan War Veteran
• Online Personality Known as The Mayor
• Why? Because I was an elected
Mayor
• eCPTX, eWPTX, PNPT, CRTO, OSCP, and a
boatload of others
• Advocate for changing entry processes into
cybersecurity careers
• First professional job in IT was penetration
testing
• Former moonshiner
Why We Are Here Today
• Hiring in offensive cybersecurity positions is broken
• Need experience to get the job; need a job to get the experience
• Bug bounty hunting has become saturated
• Certificate value diminishes as more people obtain
the same credentials
• Candidates struggle to set themselves apart from
their peers
• Few organizations speak the same language when it
comes to quantifiable experience
One thing stands out among most cybersecurity
realms, however
CVEs!!!
What is a CVE?
• CVE is abbreviated for Common Vulnerabilities
and Exposures
• Maintained by MITRE, the CVE database is a
repository of publicly disclosed vulnerabilities
• A publicly disclosed CVE through MITRE is a
first-time disclosure of a Zero Day vulnerability
finding
• Many professionals in the field will go their
entire careers without finding one; others may
find several through their career
What is a CVE?
• Some CVE findings affect security on a global
scale
• Other findings may affect small applications
created and maintained by small brick and
mortar companies and are Free and Open
Source (FOSS)
• My first CVE (2020-28351) came in my first
month as a pentester on a client web
application penetration test
What is a CVE?
• Size does not matter
• Finding a Zero Day vulnerability that is
reported to MITRE shows a person’s
initiative, ability to research, create proofs
of concept, write technically, and manage
client communications
Why?
• As the title suggested, this was born from
a boring Sunday night
• I mentor multiple people struggling to find
work in the field
• This means that I struggle as well since the
hiring process is such a challenge
• Leveraging my boredom and knowledge, I
decided to test my theory that earning
CVEs will help people find gainful
employment
Finding Potential Exploitable Targets
• Targeting common industries, such as
hospitals, schools, hotels, etc. is a great way
to identify possible projects
Finding Potential Exploitable Targets
• The “hotel CMS foss” search landed multiple
results
• Next challenge was parsing which applications
really were FOSS, and not paywall applications
hiding behind marketing walls
• Websites that provided results of value were:
• SourceForge
• Github
• The final challenge in which applications to
target was installing them
• Many of these applications were quite challenging
to install
• I finally chose the application “Hotel Druid”
Quick Note
• Downloadable applications are generally
safe to test, meaning you likely do not need
permission to do so on your own machine
• Some applications may have licensing
agreements that provide for criminal or
civil liabilities if testing is conducted, so
ensure you read any of the fine print
available
• FOSS applications generally will not have
these stipulations
• Even if you are in the clear, know that not
all developers will be excited that someone
tested and exploited their application
• Back to our regularly scheduled talk
Exploitation Time
• Probably the easiest part of the entire
process
• Good testing methodology matters
here
• Burp Suite Pro and OWASP ZAP help as
well
• As time was of the essence, I used Burp
Suite Pro and used it to audit the
application
• This was not necessary, and the
vulnerabilities found could have been
found with basic payload inputs
Exploitation Time
• In less than an hour I had found
reflected XSS and SQL Injection
vulnerabilities
• SQLi allowed for full access to the SQLite
database
CVE Application Process
• This MITRE process can feel daunting
• Difficulty increased by there being little for
references on the process
• The first step in the process is to
determine if the developer is a
“Certified Numbering Authority,” or
CNA
• If developer is a CNA, CVE application process
MUST process through the developer
• If not a CNA, the process goes through MITRE
CVE Application Process
• After trying to contact and work with
the vendor, it’s time to apply for the
CVE itself
• Done through
https://cveform.mitre.org
• Submitter will need a valid email, the
number of vulnerabilities to report, that
you have verified the vendor is NOT a
registered CNA with MITRE, and that
you have verified the vulnerability isn’t
already listed
CVE Application Process
CVE Application Process
• Next, describe vulnerability type,
product vendor, product name, and
version of vulnerable
software/application
CVE Application Process
CVE Application Process
• The CVE database is public, and a CVE
number will only be made public if the
finding is as well
• Can note on application that a Github or
other reference link is provided once
the number is issued
CVE Application Process
• Eventually you will receive an email either
confirming the finding and providing the CVE
numbers, or a denial email requesting more
information
CVE Application Process
• After the IDs are issued, rename the Github repos and
make them public in order to reference the finding
• Reply to the email with the valid links to be listed with
the findings. They will be made public after that time.
CVE Application
Process
• MITRE will eventually make those
findings public
• NIST will also assess the findings and
update resources with a CVSS score
• This can take several days to a week or more
CVE Application Process
Note that MITRE does NOT attribute findings to individuals. The
individual is the owner of the reference used in the CVE ID in the
vulnerability database. It is your responsibility to attribute yourself to
the finding and to maintain and protect it.
Let’s simplify things a bit
Huntr.dev
• A bug bounty platform that will payout for ANY vulnerable
repository on Github
• Pays out a dollar amount depending on size of repository, or if the
project is sponsored on Huntr
• Regardless of payouts, Huntr is a CNA, and can issue CVEs
for repository maintainers
• Sponsored repos and Hacktivity are a great place to check
for possible target projects, although researching your own
can provide fresh projects that may have not been found yet
Submitting Through Huntr
Submitting Through Huntr
Submitting Through Huntr
Click submit and work with
the repo owner and
admins to validate,
remediate, and disclose!
Leveraging Your Work
• After receiving a CVE ID it’s time to
leverage your success
• Post to socials – Twitter, LinkedIn,
etc.
Leveraging Your Work
• Update your LinkedIn biography and
resume
Closing Thoughts
• Entry into security positions can be a
harrowing task
• There is no one right pathway
• Find ways that set you apart from
other applicants and peers
• MAKE YOURSELF SEEN
Socials
•
•
•
•
•
Twitter - @joehelle
LinkedIn - https://www.linkedin.com/in/joe-helle
Github – https://github.com/dievus
Medium – https://medium.themayor.tech
Website – https://themayor.tech
Related documents
U P P E R D I V... U N I V E R S I T Y ... R E Q U I R E M E N...
U P P E R D I V... U N I V E R S I T Y ... R E Q U I R E M E N...
Vetbiz CVE Certification Process
Vetbiz CVE Certification Process
Bachelor of Civil Engineering
Bachelor of Civil Engineering
CVE 501 – Engineering Economics COURSE PARTICULARS
CVE 501 – Engineering Economics COURSE PARTICULARS
Bachelor of Civil Engineering NEW FALL 2014 Fall Semester  Spring Semester 
Bachelor of Civil Engineering NEW FALL 2014 Fall Semester  Spring Semester 
Download
advertisement