OWASP Top 10 : Using Components with Known Vulnerabilities
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - Using Components with Known Vulnerabilities
What is meant by using components with known vulnerabilities?
There are new cyber vulnerabilities and threats emerging each day putting the users at risk but not all of those are zero-days. Most of those threats occur due to the software dependencies like using components such as libraries and frameworks which are previously known to be vulnerable or which become vulnerable later on due to unpatched software fixes or updates not implemented on time.
The 3rd party libraries and frameworks used within an application are mostly executed with full privileges. The attackers can simply make use of automated scan tools or perform manual analysis of the application to find the flaws and if they are able to find that the particular application uses a component which has previously been found vulnerable, they can easily try to exploit that vulnerability and they can assess the impact and their gain beforehand. The attackers use fingerprinting methods like checking for known html elements, triggering errors, forced browsing etc to find the dependencies.
How does using components with known vulnerabilities impact businesses?
This particular vulnerability can bring big risk to the business especially because of its ease of exploitability. If the attacker is able to find out the vulnerable components which a particular application is using, it can be easily exploited since the exploit methods are already out there in the internet and the attacker simply has to make use of it and can cause a minimal impact, or serious or even complete data compromise ,or also lead to server/host takeover for organizations.
This vulnerability can easily bypass the application security defences and can also act as a pivoting point to enable various other attacks for example hackers can even invoke a web service with full permission without providing an authorization token or conduct a remote code execution. The weakness while using vulnerable components include injection, XSS and broken access control.
Breaches due to usage of known vulnerable components is one of the most common exploits. Few of the names included in victim list are:
Equifax (a US credit bureau organization)- breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach- unpatched version of Drupal CMS used
Ubuntu forums breach - Forumrunner add-on which had not been patched
VerticalScope(internet media company) - outdated version of vBulletin forum software used
How to prevent attacks due to usage of known vulnerable components
The security weakness here is simply because most development teams fail to ensure if the components/libraries are up to date. The preventive mechanisms include:
Know your application and prepare a good documentation of all the components(OS, web server, libraries, network components etc) and the current versions used by the application and make sure it is well maintained
Implement regular monitoring and security assessments testing.
Perform periodic Vulnerability assessment and Penetration testing both internal and external to confirm the security of your application in depth
Deploy a proper patch management system and make sure the updates and security patching is from trusted vendors only and also remove unneeded or unused components for hardening the application.
Ensure that not only the components but the subcomponents are also not vulnerable and up-to-date
Make use of OWASP’s Dependency Check to find if any of the components you use have a publicly disclosed vulnerability.
Deploy a Web Application Firewall for providing defense in depth
Interested in learning how to know if your organization is using components with known vulnerabilities ? Drop us a note now at firstname.lastname@example.org