1

I'm trying to think how I would test an application for OWASP "Using Components with Known Vulnerabilities".

If my understanding is correct, this deals a lot with out of date libraries/modules, but if one is pentesting an application (externally) how could they identify this type of information?

Anders
  • 64,406
  • 24
  • 178
  • 215
Bill C
  • 11
  • 1

3 Answers3

3

Whilst it is sometimes possible to identify this issue whilst doing an external black-box web application review, for example by identifying outdated JavaScript libraries using retire.js, or identifying outdated web server software from banner version numbers, in general the best way to check for this is to carry out a credentialed review of the systems involved in the application to confirm the versions of software in use and check for any known issues.

With a blackbox scan you're either relying on identifying the in-use version via strings in the file (or some other heuristic) or exploiting the vulnerabilities in question.

With a whitebox review it can be easier to do, as with software which is packaged, you can more easily check the installed versions.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thanks for this, anything else like this for other libraries that might be used client side like other js libraries, or css, or other imports? – Jshee May 16 '18 at 13:26
  • also @Rory - how can retire.js be used against an external site? – Jshee May 16 '18 at 13:36
  • 1
    Web application scanners like Burp have plugins which use the retire.JS data to scan for outdated JS files as you browse them (https://portswigger.net/bappstore/36238b534a78494db9bf2d03f112265c) – Rory McCune May 17 '18 at 08:26
  • Also useful would be *vulners* which is available both as nmap NSE script and BurpSuite plugin. – 1lastBr3ath Jun 10 '18 at 17:01
0

You should check for all the technologies versions used in development of the concerned web application, be it front end/client side or server side technologies. This can be achieved by spidering/crawling the web application. Once you have the details of all the web technologies and their versions in use, you can check for published CVE IDs for the concerned web technology version in question. All outdated and vulnerable web components shall be further communicated with the developer, asking them to use the latest libraries.

The famous Equifax data breach in 2013 which affected 130 million consumers was a result of using an outdated Apache Struts Framework vulnerable version. However, a patch was in place by the time the attackers exploited it. This further illustrates the significance of using updated/latest libraries of a framework/library/web technology.

P.S.This is the approach that I use to identify Using Components with known vulnerabilities (A9 2013 & 2017).

Gaurav
  • 11
  • 2
-1

Additional to using black box vulnerability scanners as correctly mentioned already, you can also use the open source owasp dependency checker. Basically, the checker does software composition analysis and detects publicly disclosed vulnerabilities in application dependencies.

It works similarly to scanners, however you need to provide a means for correctly identifying packages/dependencies. It could be flexibility deployed in a CI pipeline or several other possibilities. Check out the documentation for more details.

SyCode
  • 200
  • 8