Current ThreatQ Version Filter
 

Exploit DB CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Exploit DB CDF allows analysts to automatically ingest Exploit Reports from Exploit DB, a website that provides open-source intelligence around exploits, into ThreatQ.

The integration provides the the following feed:

  • Exploit DB - ingests verified and unverified exploits from Exploit DB.

The integration ingests the following system objects:

  • Indicators
    • Indicator Attributes
  • Reports
    • Report Attributes.  

The Exploit DB CDF replaces the existing ThreatQ Exploit DB Connector.   

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the OSINT option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Ingest Exploits As Select how to ingest Exploits into ThreatQ.  Options include:
    • Reports (default)
    • Malware
    • Vulnerabilities

    You have the option of selecting two or all types.
    Ingest CVEs As Select how to ingest CVEs into ThreatQ.  Options include:
    • Indicators (default)
    • Vulnerabilities

    You have the option of selecting two or all types.
    Ingest Unverified Exploits Select whether or not to ingest unverified exploits.  This option is selected by default.  

    Exploit DB Configuration Screen
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

ThreatQuotient provides the following mapping for the CDF.  

Exploit DB

The Exploit DB feed automatically ingests verified and unverified exploits from Exploit DB.

You must make this request with 2 additional headers, else the request will return HTML.

  • X-Requested-With: XMLHttpRequest
  • User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.4) GCDHTTPRequest

GET https://www.exploit-db.com/

Sample Response:

{
    "0": "tags",
    "1": "code",
    "2": "author:id,name",
    "3": "type",
    "4": "platform",
    "draw": 1,
    "recordsTotal": 43945,
    "recordsFiltered": 43945,
    "data": [
        {
            "id": "49767",
            "description": [
                "49767",
                "jQuery 1.0.3 - Cross-Site Scripting (XSS)"
            ],
            "type_id": "WebApps",
            "platform_id": "Multiple",
            "author_id": [
                "11078",
                "Central InfoSec"
            ],
            "date_published": "2021-04-14",
            "verified": 0,
            "application_path": "",
            "application_md5": "",
            "port": 0,
            "screenshot_path": "",
            "screenshot_thumb_path": "",
            "tags": [],
            "code": [
                {
                    "id": "160539",
                    "exploit_id": "49767",
                    "code_type": "cve",
                    "code": "2020-11023"
                }
            ],
            "type": {
                "id": "6",
                "name": "webapps",
                "display": "WebApps"
            },
            "platform": {
                "id": "24",
                "platform": "Multiple"
            },
            "author": {
                "id": "11078",
                "name": "Central InfoSec"
            },
            "download": "<a href=\"/download/49767\" aria-label=\"Download49767\"><i class=\"mdi mdi-download mdi-18px\" style=\"color: #132f50\"></i></a>"
        },
        {
            "id": "49766",
            "description": [
                "49766",
                "jQuery 1.2 - Cross-Site Scripting (XSS)"
            ],
            "type_id": "WebApps",
            "platform_id": "Multiple",
            "author_id": [
                "11078",
                "Central InfoSec"
            ],
            "date_published": "2021-04-14",
            "verified": 0,
            "application_path": "",
            "application_md5": "",
            "port": 0,
            "screenshot_path": "",
            "screenshot_thumb_path": "",
            "tags": [],
            "code": [
                {
                    "id": "160537",
                    "exploit_id": "49766",
                    "code_type": "cve",
                    "code": "2020-11022"
                }
            ],
            "type": {
                "id": "6",
                "name": "webapps",
                "display": "WebApps"
            },
            "platform": {
                "id": "24",
                "platform": "Multiple"
            },
            "author": {
                "id": "11078",
                "name": "Central InfoSec"
            },
            "download": "<a href=\"/download/49766\" aria-label=\"Download49766\"><i class=\"mdi mdi-download mdi-18px\" style=\"color: #132f50\"></i></a>"
        }
    ]
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Normalization Published Date Examples Notes
.tags Tag N/A Limited to 50 characters N/A N/A N/A
.type.display Attribute Exploit Type N/A .date_published WebApps N/A
.platform.platform Attribute Exploit Platform N/A .date_published PHP N/A
.id Attribute Exploit DB Link Formatted into URL .date_published https://exploit-db.com/exploits/{{id}} N/A
.id Attribute Exploit DB ID N/A .date_published 46572 N/A
.author_id[] Attribute Exploit Author index = 1 is taken .date_published Orion Hridoy N/A
.verified Attribute Is Verified boolean -> Yes/No .date_published Yes N/A
.code[].code Value CVE or Vulnerability Prefixed with CVE- .date_published CVE-2021-0001 Skipped if .code[].code_type is not cve
.description[] Value Report, Malware, or Vulnerability index = 1 is taken .date_published Linux Kernel 5.4 - &#039;BleedingTooth&#039 N/A
.exploit_description Description Report, Malware, or Vulnerability Formatted between <p> tags N/A N/A This is fetched from the supplemental feed (Get Exploit Text)

Exploit DB Download Supplemental

The supplemental feed will return text describing the exploit and showing examples.

GET https://www.exploit-db.com/download/{{exploit_id}}

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Timeframe: ~4.5 Month Pull (2021-01-01 -> 2021-04-14)
Ingest Unverified Exploits: True

Metric Result
Run Time 7 minutes
Indicators 89
Indicator Attributes 363
Reports 394
Report Attributes 1,997

Known Issues / Limitations

  • The Exploit DB API does not allow time-fencing.  Users will need to check the last result of each request to verify that it falls within the last run timeframe.

Change Log

  • Version 2.0.0
    • Initial Release of the CDF  - replaces the Exploit DB Custom Connector.
    • Added the option to ingest CVEs as Vulnerabilities.
    • Added the option to choose what objects the exploits are ingested as.
    • Removed the option to ingest the vulnerable applications (actual binaries).

PDF Guides

Document ThreatQ Version
Exploit DB CDF Guide v2.0.0 4.45.0 or Greater