Exploitation
Exploitation v1.1.0
The present state of exploitation of the vulnerability.
| Value | Definition |
|---|---|
| None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
| Public PoC | One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation. |
| Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
Exploitation v1.1.0 JSON Example
{
"name": "Exploitation",
"description": "The present state of exploitation of the vulnerability.",
"namespace": "ssvc",
"version": "1.1.0",
"schemaVersion": "1-0-1",
"key": "E",
"values": [
{
"key": "N",
"name": "None",
"description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
"description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
"description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
}
The intent of this measure is the present state of exploitation of the vulnerability. The intent is not to predict future exploitation but only to acknowledge the current state of affairs. Predictive systems, such as EPSS, could be used to augment this decision or to notify stakeholders of likely changes 1.
Gathering Information About Exploitation
2 presents a method for searching the GitHub repositories of open-source exploit databases. This method could be employed to gather information about whether PoC is true. However, part (3) of PoC would not be represented in such a search, so more information gathering would be needed. For part (3), one approach is to construct a mapping of CWE-IDs which always represent vulnerabilities with well-known methods of exploitation. We provide a list of possible CWE-IDs for this purpose below.
Gathering information for active is a bit harder. If the vulnerability has a name or public identifier (such as a CVE-ID), a search of news websites, Twitter, the vendor's vulnerability description, and public vulnerability databases for mentions of exploitation is generally adequate. However, if the organization has the ability to detect exploitation attempts—for instance, through reliable and precise IDS signatures based on a public PoC—then detection of exploitation attempts also signals that active is the right choice. Determining which vulnerability a novel piece of malware uses may be time consuming, requiring reverse engineering and a lot of trial and error. Additionally, capable incident detection and analysis capabilities are required to make reverse engineering possible. Because most organizations do not conduct these processes fully for most incidents, information about which vulnerabilities are being actively exploited generally comes from public reporting by organizations that do conduct these processes. As long as those organizations also share detection methods and signatures, the results are usually quickly corroborated by the community. For these reasons, we assess public reporting by established security community members to be a good information source for active; however, one should not assume it is complete.
The description for none says that there is no evidence of active exploitation. This framing admits that an analyst may not be able to detect or know about every attack. Acknowledging that Exploitation values can change relatively quickly, we recommend conducting these searches frequently: if they can be automated to the organization's satisfaction, perhaps once a day (see also Guidance on Communicating Results). An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches in the appropriate places for public PoCs and active exploitation (as described above) and found none. Acknowledging that Exploitation.
CWE-IDs for PoC
The table below lists CWE-IDs that could be used to mark a vulnerability as PoC if the vulnerability is described by the CWE-ID.
CWE-295
For example, CWE-295 Improper Certificate Validation , and its child CWEs, describe improper validation of TLS certificates. These CWE-IDs could always be marked as PoC since that meets condition (3) in the definition.
| CWE-ID | CWE name | How could vulnerabilities containing this CWE be exploited? | Tools |
|---|---|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | "directory/path traversal ""../""" | Panoptic; Burp Suite |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | symlink attack | No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link. CAPEC |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | command injection | Commix |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS command injection | Commix; Burp Suite |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | cross-site scripting attack | XSSER; Pybelt; XSStrike |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | argument/parameter injection | Argument Injection Hammer |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | malicious SQL command injection | SQLMap; BBQSQL; JSQL injection; NoSQLMap |
| CWE-91 | XML Injection (aka Blind XPath Injection) | "inject XML code into a web input, XML file or stream" | XXExploiter |
| CWE-209 | Generation of Error Message Containing Sensitive Information | read/capture sensitive information contained in error message | OWASP ZAP; Burp Suite |
| CWE-276 | Incorrect Default Permissions try to access data or privileges you normally should not have access to | "No specialized resources are required to execute this type of attack. In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly." | CAPEC |
| CWE-294 | Authentication Bypass by Capture-replay | capture-replay attack | Wireshark; smartsniff |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | brute force attack | THC Hydra; John the Ripper; L0phtCrack; Hashcat |
| CWE-312 | Cleartext Storage of Sensitive Information | find sensitive data stored in system | OWASP ZAP; Burp Suite |
| CWE-319 | Cleartext Transmission of Sensitive Information | capture traffic and extract sensitive information | Wireshark; Smartsniff |
| CWE-330 | Use of Insufficiently Random Values | brute force attack | THC Hydra; John the Ripper; L0phtCrack; Hashcat |
| CWE-331 | Insufficient Entropy | brute force attack/predictive programs | hashcat; php_mt_seed |
| CWE-352 | Cross-Site Request Forgery (CSRF) | CSRF | Burp Suite; XSRFProbe |
| CWE-425 | Direct Request ('Forced Browsing') | forcibly navigate to unintended (by the system) URLs | Dirbuster; Dirstalk |
| CWE-426 | Untrusted Search Path | malicious dll injection/loading | evildll; evilldll-gen |
| CWE-427 | Uncontrolled Search Path Element | malicious dll injection/loading | evildll; evilldll-gen |
| CWE-428 | Unquoted Search Path or Element | insert malicious input into unquoted search path | Metasploit |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | uploading of malicious file (program lacks restrictions to prevent this from occuring) | No specialized resources are required to execute this type of attack. CAPEC |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | HTTP smuggling | Smuggler |
| CWE-521 | Weak Password Requirements | brute force attack | THC Hydra; John the Ripper; L0phtCrack; Hashcat |
| CWE-522 | Insufficiently Protected Credentials | "search for exposed credentials, capture traffic, or brute force (context-dependent)" | "Context-dependent, may utilize traffic sniffing tools, tools for discovering sensitive information, or brute forcing tools. Wireshark; SMS Sniff; OWASP ZAP; Burp suite; THC Hydra; John the Ripper; L0phtCrack; Hashcat |
| CWE-532 | Insertion of Sensitive Information into Log File | access log files and search them for sensitive information | OWASP ZAP; Burp Suite; - along with the ability to access log files |
| CWE-611 | Improper Restriction of XML External Entity Reference | XML external entity injection | XXExploiter |
| CWE-639 | Authorization Bypass Through User-Controlled Key | "modify key values to change what data attacker has access to, insecure direct object vulnerability exploit" | AuthZ for burpsuite |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | XML entity expansion | XXExploiter |
| CWE-798 | Use of Hard-coded Credentials | discover and use hardcoded credentials | "Context-dependent, may use password cracking tools, binary analysis tools, or may not require any tools (just knowledge of the default hard-coded credentials)". THC Hydra; John the Ripper; L0phtCrack; Hashcat; Power Grep |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | brute force | THC Hydra; John the Ripper; L0phtCrack; Hashcat |
| CWE-918 | Server-Side Request Forgery (SSRF) | SSRF | SSRFmap; Burp Suite |
| CWE-1188 | Insecure Default Initialization of Resource | use default credentials | "Context-dependent, but may not need any tools (for example, try to use default credentials or access resources that typically require permissions) - knowledge of the system (and its defaults) helps" |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | CSV injection | "No specialized resources are required to execute this type of attack, it is more based on payloads.":PayloadsAllTheThings;OWASP CSV Injection |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | prototype pollution | DOM Invader (Burp Suite) |
| CWE-1333 | Inefficient Regular Expression Complexity | ReDoS or exponential backtracking | ReScue |
Prior Versions
Exploitation v1.0.0
The present state of exploitation of the vulnerability.
| Value | Definition |
|---|---|
| None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
| PoC | One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. |
| Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
Exploitation v1.0.0 JSON Example
{
"name": "Exploitation",
"description": "The present state of exploitation of the vulnerability.",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "E",
"values": [
{
"key": "N",
"name": "None",
"description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "PoC",
"description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
"description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
}
-
Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. Exploit prediction scoring system (epss). Digital Threats, Jul 2021. URL: https://doi.org/10.1145/3436242, doi:10.1145/3436242. ↩
-
Allen D Householder, Jeff Chrabaszcz, Trent Novelly, David Warren, and Jonathan M Spring. Historical analysis of exploit availability timelines. In Workshop on Cyber Security Experimentation and Test. Virtual conference, 2020. USENIX. ↩