| Term | Definition |
|---|---|
| Vulnerability | A vulnerability is defined as a weakness or flaw in the design, implementation or behaviours of a system or application. |
| Exploit | An exploit is something such as an action or behaviour that utilises a vulnerability on a system or application. |
| Proof of Concept (PoC) | A PoC is a technique or tool that often demonstrates the exploitation of a vulnerability. |
| https://nvd.nist.gov/vuln | |
| http://exploit-db.com/ | |
| https://gtfobins.github.io/i |
There is a myriad of tools and services available in cybersecurity for vulnerability scanning. Ranging from being commercial (and footing a heavy bill) to open-source and free, vulnerability scanners are convenient means of quickly canvassing an application for flaws.
For example, the vulnerability scanner Nessus has both a free (community) edition and commercial. The commercial version costing thousands of pounds for a year’s license will likely be used in organisations providing penetration testing services or audits. If you’d like to know more about Nessus, check out the TryHackMe room dedicated to it.
I have detailed some of the advantages and disadvantages of using a vulnerability scanner in the table below:
| Advantage | Disadvantage |
| Automated scans are easy to repeat, and the results can be shared within a team with ease. | People can often become reliant on these tools. |
| These scanners are quick and can test numerous applications efficiently. | They are extremely “loud” and produce a lot of traffic and logging. This is not good if you are trying to bypass firewalls and the likes. |
| Open-source solutions exist. | Open-source solutions are often basic and require expensive licenses to have useful features. |
| Automated scanners cover a wide range of different vulnerabilities that may be hard to manually search for. | They often do not find every vulnerability on an application. |
| Frameworks such as Metasploit often have vulnerability scanners for some modules; this is something you will come onto learn about in a further module in this pathway. |
Manual scanning for vulnerabilities is often the weapon of choice by a penetration tester when testing individual applications or programs. In fact, manual scanning will involve searching for the same vulnerabilities and uses similar techniques as automated scanning.
Ultimately, both techniques involve testing an application or program for vulnerabilities. These vulnerabilities include:
| Vulnerability | Description |
|---|---|
| Security Misconfigurations | Security misconfigurations involve vulnerabilities that are due to developer oversight. For example, exposing server information in messages between the application and an attacker. |
| Broken Access Control | This vulnerability occurs when an attacker is able to access parts of an application that they are not supposed to be able to otherwise. |
| Insecure Deserialization | This is the insecure processing of data that is sent across an application. An attacker may be able to pass malicious code to the application, where it will then be executed. |
| Injection | An Injection vulnerability exists when an attacker is able to input malicious data into an application. This is due to the failure of not ensuring (known as sanitising) input is not harmful. |
| Rapid7 |
Much like other services such as Exploit DB and NVD, Rapid7 is a vulnerability research database. The only difference being that this database also acts as an exploit database. Using this service, you can filter by type of vulnerability (I.e. application and operating system).
Additionally, the database contains instructions for exploiting applications using the popular Metasploit tool (you will learn about this tool in-depth later in the learning path). For example, this entry on Rapid7 is for “Wordpress Plugin SP Project & Document”, where we can see instructions on how to use an exploit module to abuse this vulnerability.
GitHub
GitHub is a popular web service designed for software developers. The site is used to host and share the source code of applications to allow a collaborative effort. However, security researchers have taken to this platform because of the aforementioned reasons as well. Security researchers store & share PoC’s (Proof of Concept) on GitHub, turning it into an exploit database in this context.
GitHub is extremely useful in finding rare or fresh exploits because anyone can create an account and upload – there is no formal verification process like there is with alternative exploit databases. With that said, there is also a downside in that PoC’s may not work where little to no support will be provided.
GitHub uses a tagging and keyword system, meaning that we can search GitHub by keywords such as “PoC”, “vulnerability”, and many more. At the time of writing, there are 9,682 repositories with the keyword “cve”. We are also able to filter the results by programming language.
Searchsploit
Searchsploit is a tool that is available on popular pentesting distributions such as Kali Linux. It is also available on the TryHackMe AttackBox. This tool is an offline copy of Exploit-DB, containing copies of exploits on your system.
You are able to search searchsploit by application name and/or vulnerability type. For example, in the snippet below, we are searching searchsploit for exploits relating to Wordpress that we can use – no downloading necessary!