Notes

Sec13 - Discovering Vulnerabilities

3 min read

Discovering Vulnerabilities

Finding weak spots in software and systems where attackers can break in.

  • Purpose: Identify and remediate flaws to enhance security
  • Importance: Early detection enables timely fixes, reducing risk

Domain: Vulnerability Discovery & Analysis (Domain 3)

Lesson Overviews

  • Application Scanning (DAST & IAST)
  • Software Analysis (SCA & SAST)
  • Host-Based Scanning (Authenticated vs Unauthenticated; Secrets)
  • Network Scanning (TCP/UDP, stealth techniques)
  • Mobile Scanning (SAST, DAST, Permission/Config Analysis)
  • Container Scanning (vulnerability demo)
  • IaC Scanning (static analysis, policy-as-code, drift)
  • ICS Vulnerability Discovery (manual + port mirroring)
  • Wireless Scanning (SSID & channel analysis)

Application Scanning

Dynamic Application Security Testing (DAST)

  • Simulates attacks against a running app (no source code needed)
  • Tools: OWASP ZAP, Burp Suite
  • Example: Input "' OR '1'='1" into login form → detect SQL injection

Interactive Application Security Testing (IAST)

  • Combines static & dynamic approaches; runs inside the app server
  • Detects code-level flaws in real time (e.g., pinpoint XSS line)
  • Limitations: Requires internal access; may incur performance overhead

Software Analysis

Software Composition Analysis (SCA)

  • Inventory open-source components; flag known CVEs (e.g., Log4Shell)
  • Tools: Snyk, OWASP Dependency-Check

Static Application Security Testing (SAST)

  • Analyzes source/bytecode without execution
  • Integrate into CI/CD (e.g., SonarQube)
  • Benefits: Early flaw detection; exact location

Host-Based Scanning

  • Authenticated Scans (with credentials): deep config & patch checks (Nessus, Qualys)
  • Unauthenticated Scans (no creds): attacker’s view of open ports/services
  • Secrets Scanning: find hardcoded keys/passwords in files (TruffleHog)

Network Scanning

TCP Scans

  • SYN Scan (-sS): stealth half-open handshake
  • Full-Connect (-sT): complete three-way handshake
  • FIN/Xmas/Null (-sF/-sX/-sN): flag-based stealth

UDP Scan (-sU)

  • Probe UDP ports; ICMP “unreachable” = closed; silence = open|filtered

Stealth Techniques

  • Fragmentation (-f) splits packets
  • Idle Scan (-sI) uses a zombie host

Mobile Scanning

  • SAST: static code analysis of APK/IPA (MobSF)
  • DAST: runtime testing (OWASP ZAP mobile, Burp Mobile Proxy, QARK)
  • Permission Analysis: detect over-privileged apps
  • Configuration Analysis: identify insecure defaults

Container Scanning

  • Scan images for vulnerable libraries and misconfigurations
  • Tools: Clair, Trivy
  • Demo: trivy image myapp:latest
  • Sidecar is a utility container along with the main; log analysis etc.
  • Demo: trivy image mysidecar:latest

IaC Scanning

  • Common Iac tools: Terraform, AWS CloudFormation, Ansible
  • Static Analysis: examine Terraform/CloudFormation for misconfigs
    • Tools: TFLint, cfn-guard
  • Policy-as-Code: enforce rules (e.g., EC2 encryption)
  • CI/CD Integration: scan on commit (Jenkins, GitHub Actions)
  • Drift Detection: terraform plan or AWS Config alerts deviations

ICS Vulnerability Discovery

  • Manual Assessments: inspect PLCs/HMIs for defaults, insecure protocols
  • Port Mirroring: mirror ICS traffic to Wireshark/tcpdump for analysis
  • Tools: Tenable.ot, OpenVAS

Wireless Scanning

SSID Scanning (Kismet, Airodump-ng)

  • Detect broadcast & hidden networks; identify rogue APs

Channel Analysis (InSSIDer)

  • Map congestion; optimize channel selection

Security Practices

  • Enforce WPA3, update firmware, monitor for anomalies

Takeaway: Master diverse scanning techniques—from applications to ICS—to uncover and prioritize vulnerabilities across the full technology stack.

Graph View