Hello and welcome to the side. Very secure coding course beina miss anywhere. And this is oh US top 10 for 2013 a nine using components with known vulnerabilities Demo. We're going to look at libraries used within a Web application
and their CVS s scores.
This is the demo for a nine using components with known vulnerabilities.
What we're gonna do is take a look at the PHP Information page in Mattila Day. Now you can easily get to this page either by hacking the page equals or you can actually go to
information disclosure PHP info page.
Now what you'll find here is just a plethora of information about what this particular at Web application is using.
We have a PHP version number. We have a system and the version that it's running on. We've got a compiler in the version of that
and so on. And we've got even that. It's running Apache to Dato Handler.
So all of these things become candidates to look into to find out if they have
vulnerabilities of their own because they're used within the Web application.
In some cases, in the sense of a P eyes, they're actually integrated into the application.
So one of the easiest ways for us to determine what the vulnerabilities are in these third party products and libraries
is to actually used the National Vulnerability Database.
Now that site actually references in turn,
the common vulnerabilities database inside of there. It references the CBSS score, which is just the common vulnerability severity score. But probably the simplest way to do this is just to go to Google
type and CBSS and then the product that you're gonna look up. So in this case, we want to check out the version of PHP that this Web application is running.
The very first hit that we get goes to the C. V e details dot com,
and as you can see in there, we're going to have plenty of CBSS scores to look at. So let's go ahead and click the link
and so you can see the vulnerability details. It always has a number,
and then you can see the CVS s score. If you were curious and you wanted to know how this score was calculated, you can actually go to the website and look at the calculator and get more information. But as I mentioned, all of these things reference back
to the National Vulnerability Database.
But it's easiest to probably just Google for this stuff. And as you can see, this version of PHP has quite a number of problems
now. We could continue our research
and look into the Apache version of or, of course, Windows and T, and we would find similar things. And so this is probably the best way to determine
if you are using components, and they do have known vulnerabilities.
Now, just one final note, and that is on mitigations and patching. So if we take one of the details here and we clicked the C V E number, it takes us to a more detailed page about that particular vulnerability.
If you scroll down past the CVS test scores and vulnerability types, you'll see a related oval definition. Now Oval actually stands for
open vulnerability and assessment language,
this section is designed to provide the patches that would need to be applied. She could click This link here
would take you to another page,
and on this page you would see the security updates that need to be applied,
and so it talks about the versions and
and the particular platforms, and so you would choose the one most appropriate for you and apply the patch.