(OWASP) A9-Using Components with known Vulnerability

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors. Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application.


Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.

Question 1 – Brief this Category:


Ans:-

  • A wealth of reusable software components available, including open source libraries.
  • Using these Components is a fast way to build feature – rich software.
  • With the free features, you also get free Security bugs.
  • Open Source libraries include 20-year-old code.
  • Open Source maintainers are volunteers.
  • Vulnerabilities in 3rd part components part of the other OWASP Top 10 categories.

Question 2 – Name few Vulnerabilities which comes under this section?


Ans:- In 2014, We saw two Vulnerabilities that raised huge media awareness.

  • Heartbleed – A Buffer Overflow Vulnerability in the widely – used encryption library open SSL.
  • Shellshock – A shell command injection vulnerability in the ubiquitous Bash Unix Command line.
  • Both Vulnerabilities have sent companies scrambling to deploy Security patches.

DEMO - Comming Soon!

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments