When we first hear the terms vulnerable and outdated components the first thing which occurs in our mind is some components which has not been updated and contains vulnerabilities. While designing an application there are some inbuild packages that makes your task easier, any web development organisation uses libraries and frameworks like Bootstrap, jQuery, VueJS , ReactJS and so on. If the components that we are using to build our application become outdated or don’t receive security patches then the user will be impacted by that so to keep the users safe from vulnerabilities With ThreatScan. ThreatScan’s automated engine and fully managed manual penetration test, we test over 120+ different checklists which includes owasp top 10 and additional checks designed for your web application. ThreatScan is considered to be one of the best penetration testing as a service platform in the industry.
How to find out if your Components are Vulnerable and Outdated
- You are most likely vulnerable if you don’t have any clue about the version of the components which you use on the client side and as well as the server side.
- You are most likely vulnerable if the software is unsupported or security patches are not provided frequently. This can include the OS, web/application server, database management system (DBMS), server, database and all other components and libraries
- You are most likely vulnerable if you don’t scan for security vulnerabilities frequently and keep track of all the software which is used.
- You are likely vulnerable if you do not fix or upgrade the existing platform, framework, and dependencies in a timely manner.
- You are likely vulnerable if you don’t allow security team to test the software after it has been updated.
You may believe it or but managing the dependencies which is owned by you is a huge amount of work. You may think it is just running in update command or downloading the latest version from the web but there is much more to it, you may notice that your apps might break with the latest change, some features may not be working smoothly as it should and it might not work on your system without breaking some other dependencies.
Examples of Using Vulnerable and Outdated Components
To be aware of the severity of one of these vulnerabilities we need to look at this from all the possible angles. After all, you want to fix things which are discovered by your internal scanner. The best practice would have you fixed all the outdated dependencies but logic says that when a bug bounty report comes through which impact cannot be shown on our infrastructure then we hesitate to pay the bounty. After all what’s the harm in keeping an outdated dependency, right? Well, I can guarantee you that it can definitely harm your company because what one hacker is not able to exploit can still be exploited by another hacker. One example which is often seen in real life targets would be outdated version of JavaScript being vulnerable to XSS. So, should you report this? Well, it depends. I would always want these reports to be accepted no matter what the impact because what might not hurt you now might become a huge problem later when new functionalities can be added.
How does Vulnerable and Outdated Components Affect Business?
This vulnerability can bring big impact to the business because it is very easy to exploit. If the attacker is able to discover the vulnerable components which a particular application is using, it can be easily exploited since the exploit methods are already out there in the surface web and in the dark web and the attackers just have to make use of it and can cause minimal to serious impact and sometimes complete data compromise. These kinds of vulnerability can easily bypass the security defense of the application and can also act as a pivoting point to enable various other attacks for example hackers invoke a web service with full permission without providing an authorization token or perform a remote code execution. The weakness of using vulnerable components is that the attackers can use some of the attack technique such as cross site scripting (XSS), injection attacks and broken access control.
Some Past Breaches which Occurred Due to Outdated Components
- Ubuntu forums breach – Forum runner add-on which had not been patched
- Equifax (a US credit bureau organization)- breach due to unpatched Apache Struts web framework CVE-2017-5638
- Vertical Scope (internet media company) – outdated version of Vbulletin forum software used
How to Prevent Vulnerable and Outdated Components Vulnerability
- Keep an inventory of the components you use and make sure they are kept up to date.
- Remove the components and dependencies which are no longer been used to remove the attack surface.
- Install components via known sources and make sure to validate their integrity. It is always recommended to use signed packages
- Lookout for any security patches for the components you are relying on. If the packages which are used by you are not maintained then make sure to apply patches yourself or use some alternate components that is well maintained and has a big user base and community.
- Deploy a web application firewall for providing defense to the application.
- Make sure that not only the components but the subcomponents are also not vulnerable and up-to-date
- Use OWASP’s Dependency Check to find if any of the components you use have a publicly disclosed vulnerability.
- Deploy a proper patch management system and make sure the updates and security patching are from trusted source only and also remove unnecessary or unused components for hardening the application.
Want to identify if your application has vulnerable and outdated components, we recommend ThreatScan. ThreatScan’s automated engine and fully managed manual penetration test, we test over 120+ different checklists which includes owasp top 10 and additional checks designed for your web application. ThreatScan is considered to be one of the best penetration testing as a service platform in the industry.