Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers a demonstration of libraries used in application and their CVSS scores. Looking at the PHP information page in mutillidea to see information about what a particular web application is using, all of which are helpful in discovering if there are vulnerabilities. An easy way to determine vulnerabilities in applications and libraries is the access the national common vulnerability database. This lesson also presents a brief explanation of mitigations and patching.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding course beina miss anywhere. And this is oh US top 10 for 2013 a nine using components with known vulnerabilities Demo. We're going to look at libraries used within a Web application
00:21
and their CVS s scores.
00:25
This is the demo for a nine using components with known vulnerabilities.
00:31
What we're gonna do is take a look at the PHP Information page in Mattila Day. Now you can easily get to this page either by hacking the page equals or you can actually go to
00:46
information disclosure PHP info page.
00:50
Now what you'll find here is just a plethora of information about what this particular at Web application is using.
01:00
We have a PHP version number. We have a system and the version that it's running on. We've got a compiler in the version of that
01:11
and so on. And we've got even that. It's running Apache to Dato Handler.
01:19
So all of these things become candidates to look into to find out if they have
01:26
vulnerabilities of their own because they're used within the Web application.
01:33
In some cases, in the sense of a P eyes, they're actually integrated into the application.
01:40
So one of the easiest ways for us to determine what the vulnerabilities are in these third party products and libraries
01:49
is to actually used the National Vulnerability Database.
01:53
Now that site actually references in turn,
01:57
the common vulnerabilities database inside of there. It references the CBSS score, which is just the common vulnerability severity score. But probably the simplest way to do this is just to go to Google
02:15
and
02:16
type and CBSS and then the product that you're gonna look up. So in this case, we want to check out the version of PHP that this Web application is running.
02:28
The very first hit that we get goes to the C. V e details dot com,
02:35
and as you can see in there, we're going to have plenty of CBSS scores to look at. So let's go ahead and click the link
02:43
and so you can see the vulnerability details. It always has a number,
02:50
and then you can see the CVS s score. If you were curious and you wanted to know how this score was calculated, you can actually go to the website and look at the calculator and get more information. But as I mentioned, all of these things reference back
03:08
to the National Vulnerability Database.
03:13
But it's easiest to probably just Google for this stuff. And as you can see, this version of PHP has quite a number of problems
03:21
now. We could continue our research
03:23
and look into the Apache version of or, of course, Windows and T, and we would find similar things. And so this is probably the best way to determine
03:37
if you are using components, and they do have known vulnerabilities.
03:42
Now, just one final note, and that is on mitigations and patching. So if we take one of the details here and we clicked the C V E number, it takes us to a more detailed page about that particular vulnerability.
04:00
If you scroll down past the CVS test scores and vulnerability types, you'll see a related oval definition. Now Oval actually stands for
04:13
open vulnerability and assessment language,
04:16
and
04:17
this section is designed to provide the patches that would need to be applied. She could click This link here
04:28
would take you to another page,
04:30
and on this page you would see the security updates that need to be applied,
04:36
and so it talks about the versions and
04:40
and the particular platforms, and so you would choose the one most appropriate for you and apply the patch.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor