Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VRT Addition/Modification - Exposed Portal #428

Open
zy9ard3 opened this issue Dec 17, 2024 · 3 comments
Open

VRT Addition/Modification - Exposed Portal #428

zy9ard3 opened this issue Dec 17, 2024 · 3 comments

Comments

@zy9ard3
Copy link

zy9ard3 commented Dec 17, 2024

I would like to propose some additions and modifications to Server Security Misconfiguration > Exposed Admin Portal for better VRT classifications on this kind of issues

Changes :

Modify Server Security Misconfiguration > Exposed Admin Portal > To Internet to ;

  • Server Security Misconfiguration
    • Exposed Portal
      • Protected : P5
      • Unprotected
        • Admin Panel : P1
        • Other Panels : P3

Update :

{
  "id": "server_security_misconfiguration",
  "name": "Server Security Misconfiguration",
  "type": "category",
  "children": [
    {
      "id": "exposed_portal",
      "name": "Exposed Portal",
      "type": "subcategory",
      "children": [
        {
          "id": "protected",
          "name": "Protected",
          "type": "variant",
          "priority": 5
        },
        {
          "id": "unprotected",
          "name": "Unprotected",
          "type": "subcategory",
          "children": [
            {
              "id": "admin_panel",
              "name": "Admin Panel",
              "type": "variant",
              "priority": 1
            },
            {
              "id": "other_panels",
              "name": "Other Panels",
              "type": "variant",
              "priority": 3
            }
          ]
        }
      ]
    }
  ]
}
@vortexau
Copy link

vortexau commented Dec 17, 2024
edited
Loading

Could you please expand on your justification for an 'Unprotected Admin Portal' being a P1 vulnerability?

In my view, an 'Unprotected Admin Portal' still wouldn't raise above a P5 vulnerability, per the original VRT entry; as this category implies the discovery of an admin portal, rather than authenticating to the admin portal itself.

The only case for a different priority would be if you could also authenticate to that admin portal and were granted elevated privileges. In this case you would just use another VRT category such as Server Security Misconfiguration > Using Default Credentials for default credentials (P1), or if you were able to guess/brute force creds, a category such as Broken Access Control (BAC) > Privilege Escalation (Varies) or simply selecting the category Broken Access Control (BAC) with no specific vulnerability or variant (Varies) would also be acceptable. Other assumptions will also apply, such as scope, impact (is it an empty non-prod instance?) and these would be considered before being triaged at the P1 level.

However, as mentioned, if you believe you have a strong justification for the priority of an exposed admin portal being a P1 by default, please feel free to expand on your thoughts here so the team can discuss your proposed change.

@zy9ard3
Copy link
Author

zy9ard3 commented Dec 18, 2024

@vortexau

The only case for a different priority would be if you could also authenticate to that admin portal and were granted elevated privileges

Yes, the case I’m referring to involves accessing the portal with elevated privileges but without any authentication or login

When exploring internet search engines like Shodan, FOFA, etc... I often come across various types of portals/panels including Admin panels and some of these are open/unprotected and can be accessed directly without any authentication or login. This should be considered as a P1 issue if the panel is open with admin privileges and can be considered as P3 if it is a non-admin panel ( Ex: Atlantis )

This is what I'm referencing as Unprotected Panels

In my view, an 'Unprotected Admin Portal' still wouldn't raise above a P5 vulnerability

The above scenario in your view refers to a Protected Admin Portal ( protected with login ) which I also referenced as P5 ( Server Security Misconfiguration > Exposed Portal > Protected ) and lets ignore all login-related scenarios ( default credentials/brute force ) as they are already covered in other VRTs

However, for Unprotected Panels, there isn’t currently a specific VRT and I am marking them under Server Security Misconfiguration for now

Examples :

@vortexau
Copy link

Thanks for the clarification, @zy9ard3, I appreciate it.

We'll flag this for discussion in the next VRT council meeting (likely early next year at this stage) and respond with any changes that may be made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vortexau @zy9ard3