Overview: Vulnerable & Outdated Components
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Number 6 of the OWASP top ten
00:00
2021 is vulnerable and outdated components.
00:00
Our learning objectives are to describe
00:00
the various types of vulnerable outdated components.
00:00
Demonstrate how to test for various types
00:00
of vulnerable and outdated components.
00:00
Explain how to remediate
00:00
vulnerable and outdated components.
00:00
What happened between 2017 and 2021?
00:00
OWASP in 2017 has something in
00:00
number 9 called using
00:00
components with known vulnerabilities.
00:00
That has since moved up to number 6,
00:00
where we find it renamed
00:00
vulnerable and outdated components.
00:00
A different name, same thing though.
00:00
What happened was, as I talked about in the intro,
00:00
OWASP asked the community to vote on what people thought
00:00
was the most prevalent web application weakness,
00:00
flaw, issue, and the number 2 voted for
00:00
issue was vulnerable and outdated components.
00:00
It just so happened that there was enough data to
00:00
support this category being number 6.
00:00
The two at the bottom in
00:00
OWASP 2021 were the ones
00:00
that were voted on, which is number 9,
00:00
security logging and monitoring failures,
00:00
and number 10, server-side request forgery.
00:00
But again, even though this was voted number 2,
00:00
the data supported for it to be number
00:00
6 in the OWASP top 10 2021.
00:00
This is a very self-explanatory category.
00:00
A vulnerable and aesthetic component could
00:00
be anything from the technology stack.
00:00
It could be someone running Windows XP,
00:00
an IIS Server and Windows XP.
00:00
Maybe that version of IIS is
00:00
outdated and has a known vulnerability,
00:00
maybe it's running a version of
00:00
MySQL that also has a known vulnerability.
00:00
Again, applications, APIs,
00:00
runtime environments, library developers use,
00:00
because it could all be deprecated, old,
00:00
have known vulnerabilities in them
00:00
and they need to be changed and updated.
00:00
Let's talk about some attack scenarios.
00:00
The first one is very well-known and
00:00
something you'll read about in
00:00
the written lesson in this course.
00:00
Apache Struts too had
00:00
a very or has a very severe vulnerability,
00:00
CVE 2017-5638, of course,
00:00
it came out in the year 2017.
00:00
We can tell that by the CVE,
00:00
but we can also tell that because
00:00
of the big Equifax breach.
00:00
Equifax breached back in 2017,
00:00
a lot of people's information was stolen,
00:00
and that's all because it was
00:00
running an outdated version of
00:00
Apache Struts with a known vulnerability
00:00
and they didn't update their servers.
00:00
Now I talk about this in the written lesson.
00:00
This was a tough one to patch.
00:00
This is a tough one to update,
00:00
and although us in
00:00
cybersecurity say you need to patch and
00:00
update things to developers,
00:00
they have to weigh their options.
00:00
We'll try, but when can we have downtime for the servers?
00:00
When our customer is going to be
00:00
using our website most often?
00:00
Do we do this over the weekend?
00:00
We could do this at night? How many
00:00
hours this is going to take?
00:00
These are things that developers have
00:00
to think about that we in security don't.
00:00
We just say you need to patch this thing.
00:00
For us, it's maybe easier said than done,
00:00
and we should appreciate the fact that developers
00:00
may have a harder time actually implementing this,
00:00
but that's not to say that there's
00:00
lessons to be learned specifically with
00:00
the Equifax breach about patching
00:00
a vulnerability with the CVS score of 10,
00:00
which is the highest remote code execution.
00:00
That's pretty bad.
00:00
Also content management systems out there,
00:00
things like WordPress or Drupal or Joomla.
00:00
You've heard of Drupal Guten.
00:00
Drupal Guten 2, Drupal Guten 3.
00:00
These are things that affected
00:00
certain core versions of Drupal,
00:00
same with WordPress that at
00:00
their core vulnerabilities there.
00:00
They may not be as well-known as
00:00
things like the Apache Struts vulnerability
00:00
because it might be something simple.
00:00
It could be, I shouldn't say simple,
00:00
but something not as severe with
00:00
maybe reflected cross-site scripting vulnerability
00:00
or an open redirect vulnerability.
00:00
It's not nearly as severe as remote code execution,
00:00
but there's plenty of people who have stood up.
00:00
WordPress sites, have forgotten about it,
00:00
have plug-ins that are outdated,
00:00
have themes that are outdated,
00:00
and attackers will run that tools like WP scan,
00:00
find a old version of a
00:00
plug-in that's vulnerable to
00:00
something like SQL injection,
00:00
and exploit that vulnerability
00:00
because the person didn't patch or
00:00
update that plug-in theme or core version of WordPress.
00:00
The factors here. As opposed to some of the
00:00
other top 10 in 2021,
00:00
there are only three CWEs mapped to this number 6,
00:00
vulnerable and outdated components.
00:00
We can see the max incident rate is almost 30 percent.
00:00
We have a weighted exploitability score of
00:00
five and impact score of five. Why's that?
00:00
OWASP said that they did that because there's
00:00
zero total CVEs mapped
00:00
the CWEs and they just average it out at five.
00:00
You can read about that here
00:00
at the link at the bottom on the right,
00:00
or to the OWASP site.
00:00
The total occurrences though were 30,457.
00:00
That's a lot.
00:00
That's why it's number 6.
00:00
Here are the three CWEs and they may look familiar.
00:00
You'll see here that some CWEs mapped directly
00:00
to OWASP and previous versions of OWASP.
00:00
OWASP Top 10 2013,
00:00
using components with known vulnerabilities.
00:00
OWASP top 10 A9 for 2017,
00:00
using components with known vulnerabilities.
00:00
The third one here, 1104,
00:00
is use of and maintained third-party components.
00:00
How do we prevent this?
00:00
A lot of companies will use
00:00
dynamic applications, scanning tools,
00:00
DAS tools, because this is really low hanging fruit.
00:00
It's easy to do banner grabs,
00:00
enumerate the technology,
00:00
and see if it's outdated.
00:00
Of course I've come across
00:00
situations where it has been updated,
00:00
it's just the fact that the banner
00:00
still shows an outdated version,
00:00
and it's just a false positive.
00:00
Of course we have to check that, right?
00:00
We have to check and make sure that
00:00
if a DAS scanner or for me
00:00
manually scanning website comes
00:00
across something and it says
00:00
that is outdated or vulnerable,
00:00
now as a pen tester,
00:00
I'm going to try to exploit that.
00:00
Of course, only pen test
00:00
applications that you have authority to do that,
00:00
you have expressed permission to do that.
00:00
That is what I do as a pen tester,
00:00
is try to validate,
00:00
verify that that is
00:00
in fact an outdated component that can be exploited.
00:00
We need to continuously inventory the versions of
00:00
both client-side and server-side components,
00:00
only obtain components from
00:00
official sources over secure link.
00:00
You may see like hash values like MD,
00:00
five hash values or SHA hash values for files.
00:00
That's when you download it.
00:00
You can run tools to make sure that the hashes match up.
00:00
Then you've in fact downloaded
00:00
that correct library or the correct file,
00:00
and it hasn't been corrupted with
00:00
malware or as an outdated version.
00:00
Also monitor for libraries and components that are
00:00
unmaintained or do not create
00:00
security patches for older versions.
00:00
All that being said, in the next lesson,
00:00
I'm actually going to show you
00:00
the Apache Struts vulnerability
00:00
you've heard so much about.
00:00
But now you should know how to
00:00
describe vulnerable and outdated components,
00:00
how to test for vulnerable and
00:00
Outdated components and ways
00:00
to remediate or prevent
00:00
vulnerable and outdated components.
Up Next
Instructed By
