Vulnerable and outdated components

Your code has more dependencies than ever, but are they secure?

Select your ecosystem

Vulnerable and outdated components: the basics

What is a vulnerable and outdated component?

A vulnerable and outdated component is a software component that is no longer being supported by the developer, making it susceptible to security vulnerabilities. Many times, a component has known vulnerabilities that don’t get fixed due to a lack of maintainer.

Applications often become vulnerable to attacks because they use outdated software components with known security vulnerabilities. Hackers can exploit these vulnerabilities to gain access to the application's data or to take control of the application entirely. Outdated software components are also more likely to contain security vulnerabilities, as timely patching is a vital part of security posture.

About this lesson

In this lesson, you will learn about how vulnerable and outdated components can affect the security of an application, and how to protect your applications against them. We will step into the shoes of a malicious attacker who is able to gain access to the ex-employer's cloud account by exploiting an outdated NPM package.

FUN FACT

OWASP top 10

Vulnerable and outdated components continue to be on OWASPs top 10 list and in 2021 it is listed at #6. It was on the list in 2013 and in 2017!

Vulnerable and outdated components in action

Sunny is a developer by day, and a hacker by night, who was recently unfairly (or so she says) fired from her job at a web development agency called DevShop. She's got revenge on her mind — and a whole lot of free time. Maybe it's time to put some of those hacking skills to good use!

Sunny takes a look at the main website of her ex-employer: devshop.io. There's functionality on the page for potential clients to upload files to better demonstrate the projects that they'd like to have developed. The file can either be uploaded from your local machine, or a URL can be specified.

Taking advantage of vulnerable and outdated components

  • STEP 1
  • STEP 2
  • STEP 3
  • STEP 4
  • STEP 5

Setting the stage

Sunny is looking for revenge on her ex-employer, devshop.io. Let's see if we can take advantage of some vulnerable and outdated components!

vulnerable-start.svg

Vulnerable and outdated components under the hood

In this case, the website was using an old version of an npm package called parse-url, which has a known vulnerability. This vulnerability occurs because the package incorrectly parses URLs in a specific way that allows the attacker to bypass hostname validation.

The backend code might look something like this:

Of course, we should never denylist URLs like this because there are many workarounds, but that's not how Sunny exploited this issue. Instead, she used CVE-2022-2900, a vulnerability in the parse-url node package, to bypass the check. You can find more details about this vulnerability in the Snyk Vulnerability Database.

What is the impact of vulnerable and outdated components?

The impact of this type of vulnerability varies considerably depending on the type of vulnerability that the outdated/vulnerable component is. At worst it can result in the complete loss of data integrity, data confidentiality and system availability.

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Vulnerable and outdated components mitigation

Awareness

Perhaps the most fundamental part of the mitigation is awareness of the modules that you are using in your project. In order to view which packages are being utilized, you can navigate to your application's parent folder and run npm ls.

To check if any of them have known vulnerabilities, you can run snyk fix.

► Running `snyk test` for /Users/lili/www/snyk/python-fix/packages/poetry/test/system/workspaces/with-pins✔ Looking for supported Python items
✔ Processed 1 pyproject.toml items
✔ DoneSuccessful fixes: ../python-fix/packages/poetry/test/system/workspaces/with-pins/poetry.lock
✔ Upgraded django from 2.2.13 to 2.2.18
✔ Upgraded jinja2 from 2.11.2 to 2.11.3Summary:
1 items were successfully fixed
10 issues: 4 High | 3 Medium | 3 Low
10 issues are fixable
10 issues were successfully fixed

You can also run npm audit fix. In this case, the output shows the details of the parse-url vulnerability.

# npm audit report
parse-url <=8.0.0
Severity: critical
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - https://github.com/advisories/GHSA-pqw5-jmp5-px4v
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
fix available via `npm audit fix`
node_modules/parse-url
1 critical severity vulnerability

Fixing outdated and vulnerable NPM packages

To fix any vulnerabilities in those packages, you can simply run snyk fix (https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/automatic-remediation-with-snyk-fix) or alternatively, you can run npm audit fix.

Keep modules up to date

You can check which modules are out of date in your project by running npm outdated. Before you update, make sure you test! Updates directly to the production environment comes with risk. Testing in a dev environment can save you a lot of headaches! Check out this recent issue: https://github.com/axios/axios/issues/5038

Check used modules for known vulnerabilities

You can find vulnerable packages in your project by using Snyk. Just run snyk test in your terminal. You can find out more about the Snyk CLI here.

Keep learning

Learn more about Snyk and how we can keep your applications secure

  • Snyk Code - find and fix vulnerabilities in your source code during the coding stage in your native workflow
  • Snyk Container - find and fix vulnerabilities in container images and Kubernetes applications
  • the Snyk Web UI provides a browser-based experience, along with functions such as configuration settings, filtering and fixing discovered issues, and reports

Congratulations

Now you know all about vulnerable and outdated components! You also know about the risks and mitigation techniques. We hope that you will apply this knowledge to make your applications safer. We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.