Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is Boa's top 10 for 2013
a nine using components with known vulnerabilities Lab, web, goat Looking at the libraries that are used in Web goat and their CVS s scores. Now, for this lab, we're going to take a look at
the bundled up distribution of Web goat. And so, if we were to go ahead and open up a terminal
and I'm gonna make this little bit bigger
So if I wanted to find out the location of where the binaries air running for this particular application, I could just grip,
I'm gonna grope for Tomcat.
And what it does is it tells me where Tomcat is running.
And so if I go to that directory,
I can see that there's a Web APS
and I can see my Web go there. So I've got the war file, of course, exploded when it was deployed and created this Web goat directory.
So once I'm inside of there, I can actually see
the contents of the war file.
You want to go to this Web dash I n f because that's going to have
the additional libraries that have been added
to the distribution.
So if we take a look at this live directory here,
we can see that there are lots of jar files that are added. So all of these jar files represent third party components, and
all of these look like they're open source. So that makes it super easy to
google them and determine if they have any CVS test scores associated with them.
So I'm gonna go ahead and take a look at a couple of them.
Maybe this access one
and maybe this Commons file upload. So let me switch over.
So googling the access one first, I'm just going to type in the letter CBss
the word access and then the version that I'm looking for. I do receive a hit on the 1.2 point one summer click That,
and that looks like it's of interest to us. So we've got
ah, several CVS s items that are listed here.
Now, if I take a look at the next one,
the Commons dash files uploaded and put a version number with this one, you could or you could just leave it generic like that and looks like it's this first link here. So I'll click that and
definitely have a couple of C V e numbers associate ID.
And once again, if you click these numbers in detail
and you go down to the oval section,
you will see a link for
getting information about patches,
and you just look for the particular environment that you're running on the particular platform and get the appropriate patch.
So your assignment is to basically go through all of the libraries that are used
and determine if there are known vulnerabilities for those libraries.