Vulners - Google for a hacker. How is the best search engine for vulnerabilities and how to use it

Often you need to find out all the information about any vulnerability: how critical the found bug is, whether there are any ready-made sploits, which vendors have already released patches, which scanner to check for a bug in the system. Previously, you had to search manually for a dozen sources (CVEDetails, SecurityFocus, Rapid7 DB, Exploit-DB, MITER / NIST CVE vulnerability bases, vendor bulletins) and analyze the collected data. Today, this routine can (and should) be automated with the help of specialized services. One of these is Vulners, the coolest search engine for bugs , with free and open API. Let's see how it can be useful to us.

What it is

Vulners is a very large and continuously updated database of information security content. The site allows you to search for vulnerabilities, exploits, patches, bug bounty results just like an ordinary search engine searches for sites. Vulners aggregates and conveniently presents six basic data types:

Popular vulnerability bases. They contain general descriptions of vulnerabilities and links to sources. For example, the well-known CVE of the US agency MITER and the NIST Institute But, in addition to the information from it, general descriptions of vulnerabilities are also added to Vulners from other research and response centers: Vulnerability Lab , XSSed , CERT , ICS , Zero Day Initiative , Positive Technologies, ERPScan.
Vendor security bulletins. These are bug reports that vendors themselves write about vulnerabilities in their products. Now these are various Linux distributions (Red Hat CentOS, Oracle Linux, Arch Linux, Debian, Ubuntu, SUSE), FreeBSD, network devices (F5 Networks, Cisco, Huawei, Palo Alto Networks) and popular and critical programs (OpenSSL, Samba, nginx , Mozilla, Opera), including CMS (WordPress, Drupal).
Exploit-DB and Metasploit exploits. They are parsed and saved completely, with source codes (they can be immediately viewed in a convenient editor).
Nessus plugins for vulnerability detection. It is easy to see if you can find this or that vulnerability when scanning the network with this popular scanner.
Disclose bugs from bug bounty program sites. Vulners supports recordings with HackerOne.
Publications on thematic resources. Data is collected from Threatpost and rdot.org, which often covers topics related to vulnerabilities.

')
All this is processed, cataloged, structured and searchable at any time.

Vendors from which Vulners info is collected and analyzed

Unlike other databases that describe bugs in a special formalized form (for example, in the CIS or SecPod OVAL databases), Vulners stores data in a formalized form and automatically establishes links between them, quickly searches and beautifully displays search results. What to do with it depends entirely on the fantasy of the end user.

Who writes on what Vulners?

Vulners sawing on enthusiasm in their free time, five people:
Kirill " isox " Yermakov writes the kernel and admin;
Igor " Videns " writes a search;
Vanya " Vancouver " writes the front;
Sasha " Plex " writes robotic assemblers;
Alexander Leonov writes articles and analytics.

The first version of Vulners rolled out a couple of months from the start of development for the Black Hat USA 2015 conference in Las Vegas. Now the project is already a year.

The entire Vulners engine is written in Python + Django, MongoDB + Elasticsearch is taken as the base. MongoDB is used only for bookmarking data with information-gathering robots, Elasticsearch is only for frontend. Depla produced with Bitbucket'a script. Scaling is in the core: MongoDB and Elasticsearch are shuffling. The factory of robots is written host-independent and can be chased separately from the whole project. One of the coolest chips - the guys have already fully switched to Python 3.5+ and asyncio in their project. So the search does not always work exactly, but always very quickly :).

There are currently 319,557 newsletters and 144,684 exploits in the Vulners database. And it takes all this in a database of less than 2 GB. This compactness is achieved through deduplication and packaging. Everything lies in the RAM, so the search speed increases significantly. It is worth mentioning that Vulners is protected by WAF Wallarm, operating in blocking mode.

Vulners architecture

But enough words, let's try to look for something.

We try to search

The first thing you see when you go to Vulners is, of course, the search string. Just enter the name of the application, website or CVE code of the vulnerability, and Vulners will give you all the latest public bugs on this product with links to exploits, detection plugins and various publications.

Typical issue Vulners on WordPress bugs. Pay attention: the data is updated constantly and automatically

Naturally, simple requests like "wordpress" or "xakep.ru" are boring to consider, and you will figure it out for yourself. Let's see what interesting Vulners can do.

Task: find critical CentOS bugs with links to sploity

Request: type:centos order:published

Vulners allows you to filter search results and / or sort them by any field of bugs:

by type of newsletter;
by CVSS Score;
by date;
by the number of the plug-in detector;
by name recercher.

And so on. You can search and sort by absolutely any field.

Thanks to this, we can form a complex type query: centos cvss.score: [8 TO 10] order: published, which means “find me all new CentOS bugs, where the CVSS Score is from 8 to 10, that is, critical”. Since Voulners automatically links all the collected data to the bug, on the CVE page you will see available patches and exploits.

Also, the results of this query can be obtained using the API - it will be useful to you in automated scanners. To do this, it is enough to make a GET request at https://vulners.com/api/v3/search/lucene/?query=type:centos%20cvss.score:[8%20TO%2010]%20order:published . The response will be formatted machine-readable JSON.

Another useful API query parameter is references=true , which allows you to get in the results of the query not only security objects, but also all of their connections (detection plugins, exploits, etc.). For example, such a query:
https://vulners.com/api/v3/search/lucene/?references=True&query=type:centos%20cvss.score:[8%20TO%2010]%20order:published - will also output all references related elements from base.

Graphic task request

Get over twenty entries from Vulners

By default, Vulners returns only the first twenty request records. If you want more, you need to set the size parameter. So you can get up to 10,000. And if this is not enough, you can query 10,000 several times, skipping the already obtained results using the skip parameter.

Objective: to justify the IT department, why do we need patch management (or just find all the bundles for a specific bug)

Request: cvelist:CVE-2014-0160 type:exploitdb

With the help of Vulners, it is relatively easy for the IT department to justify why the vulnerabilities detected by the scanner are really dangerous and worth patching. To do this, you can show the list of exploits found by CVE number or another identifier. Search by Exploit-DB or Metasploit is available. On one page there will be both the description and the sources of the exploit, which can also be searched for.

We are looking for sploity on CVE-2014-0160

We are looking for sploity on CVE-2014-0160

We are looking for sploity according to CVE – 2014–0160

As you can see, the full text of the exploit is given on the page. This text can also be searched.

The exploit can be viewed in a handy thumbnail.

Task: find out how much money and on which bug bounty a certain hacker has earned

Query: isox order:bounty

Unique feature Vulners - search by bug-bounty. You can find the vulnerabilities of the software the researcher wrote and see his achievements in bug bounty programs. Results can be sorted by team, researcher, price, and more.

For example, we search by nickname, sort by reward for bug bounty:

Bounty search example

Vulners found a buggy bug in Mail.Ru, for which they paid $ 400

And if you specify in the request reporter, you can consider other people's money, which is embarrassing, but interesting.

  $ curl "https://vulners.com/api/v3/search/lucene/?query=type%3Ahackerone+order%3Alastseen+reporter%3Aisox" 2> / dev / null |  awk '{if ($ 0 ~ "\" bounty \ "") {gsub (",", "", $ 2)};  earn + = $ 2} END {print earn} '

Answer (in dollars):

You can also search for examples of real SQL injections or vulnerabilities that were found on a particular service, for example, on Vimeo: type:hackerone Vimeo .

We are looking for Vimeo service bugs that are fixed on HackerOne

Task: find bugs on Nessus plugins

Request: type:nessus order:published

Search by Nessus plugins is also a unique feature of Vulners. So, the query above will display a list of the most recently added plugins.

Nessus Search Example

Found Vulnerability with GNU C Library

Task: find potential mobile app vulnerabilities

Another cool feature of Vulners is the ability to search for vulnerabilities in over 13,000 top Android apps from Google Play! Store US via HackApp. HackApp is a shareware toolkit and service for finding bugs in mobile applications. HackApp maintain their base of found vulnerabilities, where they describe in detail the attack vectors and vulnerable versions.

With Vulners and HackApp, you can search for vulnerabilities in more than 22,025 top Android apps from Google Play! Store. To search, you must specify the type type: hackapp. The search results display the title, the number of vulnerabilities by severity and information about the application.

Found Vulnerability with GNU C Library

HackApp vulnerability scan

Work with API

At the time of this writing, only the search API is publicly available. The request and the number of results (size) you want to receive are transferred to JSON. The maximum issue size is 10,000 entries. Enough to drag off all CentOS newsletters at once. And in order to pick up something quite large, for several times, you can set the offset using the skip parameter.

Since Vulners uses Elasticsearch, any request is processed by Apache Lucene. This means that requests to Vulners are built in the same way as to Lucene. The names of the fields to search for can be found in the API Assistant . Any “schema” key for each type of collector can be used as a “key” in the Lucene request, for example:

title
description
affectedPackage
sourceData
cvelist

An example of an API request that will return data on CVE – 2014–0160:

  curl https://vulners.com/api/v3/search/lucene/?query=type:cve%20id:CVE-2014-0160

Answers also in JSON:

  {
   "data": {
     "exactMatch": null,
     "search": [
       {
         "_index": "bulletins",
         "_score": 9.942732,
         "_source": {
           "type": "cve",
           "title": "CVE-2014-0160: OpenSSL heartbeat information disclosure",
           "published": "2014-04-07T18: 55: 03",
           "objectVersion": "1.0",
           "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160",
           "reporter": "NVD",
           "modified": "2015-10-22T10: 19: 38",
           "references": [
             "http://www.securitytracker.com/id/1030081",
             "http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1",
             "http://advisories.mageia.org/MGASA-2014-0165.html",
           ],
           TLS / DTLS heartbeat functionality. "description": "heartbeat functionality." exploration couldn’t have been given the key information. \ r \ n \ r \ nThis vulnerability is commonly referred to as \ "Heartbleed \". ",
           "lastseen": "2016-03-19T07: 17: 51",
           "cvss": {
             "vector": "AV: NETWORK / AC: LOW / Au: NONE / C: PARTIAL / I: NONE / A: NONE /",
             "score": 5.0
           },
           "id": "CVE-2014-0160",
           "scanner": [],
           "bulletinFamily": "NVD"
         },
         "_id": "CVE-2014-0160",
         "_type": "bulletin"
       }
     ]
   },
   "result": "OK"
 }

Telegram bot with subscriptions to query results

In April, Vulners launched a bot for the Telegram messenger . Easy to use. Send the bot message / subscribe and your search query and get new search results as soon as they appear on Vulners. But the main thing is that with its help you can create custom subscriptions for security content.

Bot allows you to make requests, as well as on the site.

This service can help security guards keep up to date with the publication of new vulnerabilities. Guys out of service can subscribe to newsletters for the software they use. Pentesters - to quickly receive information about the exploitation of vulnerabilities in practice.

Want to see the latest CVE posts? No problems:

  / subscribe type: cve

Want to see updates on exploits?

  / subscribe bulletinFamily: exploit

Are your servers running Debian? Watch out for their safety!

  / subscribe type: debian

Do Vulners have alternatives?

Vulners is not the only vulnerability aggregator. There are, for example, the database Secunia and OSVDB, but one closed on April 5 and the other paid.

There is still a domestic BND UBI FSTEC , but they store only the descriptions of the vulnerabilities themselves and nothing more (no data on exploits), and, frankly speaking, they are not very formalized. In addition, the Information Security Threats Data Bank does not provide an open API, that is, using it in automated scanners will fail.

findings

Vulners is a unique and indispensable assistant to any hacker and security man. It greatly saves time in the study and operation of complex attack vectors. Of course, the tool is only being developed, but now it is quite usable. More importantly, Vulners is open and free to the end user and always will be.

By the way, vulnerabilities found on vulners.com can be sent to https://hackerone.com/vulnerscom . You can search for anything. Since the project is free, there is no funding for the payment of rewards, but the developers guarantee the public disclosure. Email to contact support@vulners.com, other contact information here .