Blue Goat Cyber

Understanding Vulnerability Scope

Understanding Vulnerability Scope

There are many different factors to consider when scoring the risk level of a vulnerability. Modern frameworks, such as the CVSS 4.0 consider several factors to properly convey the severity of a problem. Different vulnerabilities can have a wide-ranging impact, and depending on the individual system at risk, they may end up being less concerning. One often overlooked aspect for consideration is the scope of a vulnerability. Exploits are typically thought of as something that attacks the system they land on, but there can be many ways that the scope of a vulnerability can expand.

How Insecure Sites Can Compromise Secure Sites

In modern applications, functionality can stretch to several different connected services and domains, both internal and external. This allows for a massive expansion in what can be done for the users and often can speed up processes in the application, but it may end up opening the network to a greater threat. A vulnerability present in a single component can introduce vulnerabilities to the other connected sites, even if those other sites are secure.

One very common area that will be a prime target for ethical and malicious hackers is file upload functionalities. They can also be perfect for demonstrating this type of vulnerability where the scope manages to expand itself. Commonly, applications will be linked so that a file can be uploaded on one site, and accessed on another. If proper validation is not performed on the upload site, the vulnerability will leave that domain and become relevant on the other site. This can have serious consequences, as file upload vulnerabilities can lead to file disclosure, cross-site scripting, and even remote command execution.

Another possibility is using one vulnerable site to attack an internal site. In cases where a vulnerability allows the attacker to gain full command execution, the hacker can use the compromised server as a jump host to access internal applications that may host sensitive data. This can even be possible without full command execution in some cases, such as when a server-side request forgery vulnerability is discovered.

Chaining Vulnerabilities Through Connected Applications

Many different types of vulnerabilities can be combined with a vulnerability present on another server to achieve even greater damage. Different applications will be attached to different resources that may be interesting for an attacker. A good example of this would be two different applications connected to two different databases. Attackers may be able to find major vulnerabilities in the application with less interesting information in the database, but this can then be leveraged to access the other server.

One way that this can happen is through credential harvesting. Any attack where a hacker can strip credentials, such as a database attack, file read bug, or sensitive data exposure can have severe consequences. The previous example with two applications connected to two databases can be a good example of this. If the server with less sensitive data on the database is prone to some sort of SQL or NoSQL injection attack, it can be possible for the hacker to pull credentials from the database and use those credentials against the second server.

While having authenticated access to an application does not usually mean that the user can access the server directly, it can massively expand the attack surface. It can be easy for vulnerabilities to slip through the cracks on authenticated pages, as these will be far less exposed. This assumed safety can be dangerous, as an attacker able to authenticate can wreak havoc on the application.

Second-order attacks are also a major threat to linked applications and are often very difficult to detect by only testing a single component. Maintaining the theme of database attacks, second-order SQL injection attacks can be a good example of the risk. If two applications share a database, it may be possible to inject dangerous data into the database from one application that can be accessed from the other to trigger an exploit. These vulnerabilities can be very elusive, as they are rarely directly detectable and require comprehensive testing of all connected components to fully understand the risk.

Test Your Applications With Blue Goat Cyber

Whether it is just a single application or many different, connected applications, Blue Goat can help you meet your security goals. Our team can work with you to properly secure your applications against attacks and protect you from cybercriminals. Contact us to learn more.

Blog Search

Social Media