> For the complete documentation index, see [llms.txt](https://arachn3.gitbook.io/malware-development-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://arachn3.gitbook.io/malware-development-guide/baby-steps/vulnerability-analysis.md).

# Vulnerability Analysis

Let's first get a general idea of what a vulnerability is

> A vulnerability in cybersecurity is defined as a weakness or flaw in the design, implementation or behaviours of a system or application

This definition isn't a perfect one, in fact, the definition varies from source to source. NIST defines a vulnerability as a *“weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source”.* However, the general idea remains the same.

Vulnerabilities in general can be categorized into 5 broad types with respect to their sources/causes:

<table><thead><tr><th width="294">Type</th><th>Description</th></tr></thead><tbody><tr><td>Operating System</td><td>Found within Operating Systems (OSs) and often result in privilege escalation.</td></tr><tr><td>Configuration/Misconfiguration</td><td>Stem from an incorrectly configured application or service. Examples include a website exposing customer details, and even left-out default credentials that should've been changed</td></tr><tr><td>Application Logic</td><td>Stem from poor application design. For example, a website with shitty encryption for authentication</td></tr><tr><td>Human-Factor</td><td>Vulnerabilities that leverage human behaviour. For example, phishing emails are designed to trick humans into believing they are legitimate.</td></tr></tbody></table>

Yes, I ripped this table straight from [TryHackMe's Vulnerabilities 101 room](https://tryhackme.com/room/vulnerabilities101), and I recommend you visit that room since it's a literal treasure trove. I'll be using certain sections from it to explain many things, but it'll be a short explanation rather than a verbose one like the one in said room.&#x20;

On the big shiny public forums and "vulnerability scoring" websites, each vulnerability has a quantitative qualifier attached to it. There are several methods of going about this "scoring" business but here are some popular ones:

* Common Vulnerability Scoring System (CVSS)
* Vulnerability Priority Rating (VPR)
* Tripwire Vulnerability Scoring System
* IP360 Scoring

The last two are a bit uncommon, but it's good to know them. Here's a dumb way to refer to each of these system's scoring:

<table><thead><tr><th width="272">Score/Rating</th><th>Reaction/Inference/IDK just understand what you will :P</th></tr></thead><tbody><tr><td>Low-Medium</td><td>"Meh"; Low-money bounties; "Meh, Let's just fix this when we feel like it"</td></tr><tr><td>High</td><td>"Nice!"; Medium money bounties; "Okay, better fix this quick"</td></tr><tr><td>Critical</td><td>"OOOOO"; Money's rainin' boys; "AAAAAA, FIX THIS ASAP!!"</td></tr></tbody></table>

There are a lot of vendors that enlist/sell exploits online so it's a good idea to be familiar with them if you can:

* ExploitDB: <https://www.exploit-db.com/>
* 0day.today: <https://0day.today/>&#x20;
* Packet Storm Security: <https://packetstormsecurity.com/about/>
* CIRCL: <https://circl.lu/mission/>
* VulnDB: <https://vuldb.com/>

TODO: add more on this...
