Bug chaining - an idea that hasn't really propagated yet.
How do we rate how severe a bug is? Consider how easy it is to exploit, where it is accessible from (client-side, server-side, internet, local, mass exploitable, targeted exploit, etc).
Audience attempted to rate the severity of a couple of bugs:
Is attacker considered 'authenticated' once there is an XSS attack? Any subsequent attacks can be treated as authenticated.
When you join together the XSS bug with the file upload bug, then it's critical!
Bug chaining: taking multiple bugs and chaining them together to create exploitable vulnerabilities. Instead of looking at each individual bug, look at how they can be combined together.
There are now frameworks to help chain together exploits - and this is how a lot of worms now work.
Recent examples of chaining exploits: PHPMyAdmin <= 3.1.3; SugarCRM <= 5.2.0e - compromise server through 3 bugs together.
How to deal with this? CVSSv2:
"You can explain this stuff all day, but when network admins actually see you do it, that's when they understand" Brett Moore
VtigerCRM - large open-source CRM system which fixed problems with a security patch, but don't link to the fix (and haven't installed it themselves!).
He wrote a BeEf module for VtigerCRM that can run as an auto-run module (took less than 2 hours to write):
Don't look at severity of individual bugs - need to look at how bugs can be joined together.
Understand the bugs.
Follow the OWASP coding and testing guidelines.
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
Page rendered at Sunday, March 09, 2014 12:32:07 PM (New Zealand Standard Time, UTC+12:00)