Vulnerable and outdated components

A vulnerable and outdated component is a software component that is no longer being supported by the developer, making it susceptible to security vulnerabilities. Many times, a component has known vulnerabilities that don’t get fixed due to a lack of maintainer.

Applications often become vulnerable to attacks because they use outdated software components with known security vulnerabilities. Hackers can exploit these vulnerabilities to gain access to the application's data or to take control of the application entirely. Outdated software components are also more likely to contain security vulnerabilities, as timely patching is a vital part of security posture.

In this lesson, you will learn about how vulnerable and outdated components can affect the security of an application, and how to protect your applications against them. We will step into the shoes of a malicious attacker who is able to gain access to the ex-employer's cloud account by exploiting an outdated NPM package.

Sunny is a developer by day, and a hacker by night, who was recently unfairly (or so she says) fired from her job at a web development agency called DevShop. She's got revenge on her mind — and a whole lot of free time. Maybe it's time to put some of those hacking skills to good use!

Sunny takes a look at the main website of her ex-employer: devshop.io. There's functionality on the page for potential clients to upload files to better demonstrate the projects that they'd like to have developed. The file can either be uploaded from your local machine, or a URL can be specified.

In this case, the website was using an old version of an npm package called parse-url, which has a known vulnerability. This vulnerability occurs because the package incorrectly parses URLs in a specific way that allows the attacker to bypass hostname validation.

The backend code might look something like this:

Of course, we should never denylist URLs like this because there are many workarounds, but that's not how Sunny exploited this issue. Instead, she used CVE-2022-2900, a vulnerability in the parse-url node package, to bypass the check. You can find more details about this vulnerability in the Snyk Vulnerability Database.

The impact of this type of vulnerability varies considerably depending on the type of vulnerability that the outdated/vulnerable component is. At worst it can result in the complete loss of data integrity, data confidentiality and system availability.

Perhaps the most fundamental part of the mitigation is awareness of the modules that you are using in your project. In order to view which packages are being utilized, you can navigate to your application's parent folder and run npm ls.

To check if any of them have known vulnerabilities, you can run snyk fix.

You can also run npm audit fix. In this case, the output shows the details of the parse-url vulnerability.

To fix any vulnerabilities in those packages, you can simply run snyk fix (https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/automatic-remediation-with-snyk-fix) or alternatively, you can run npm audit fix.

To fix any vulnerabilities in those packages, you can simply run snyk fix (https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/automatic-remediation-with-snyk-fix).

You can check which modules are out of date in your project by running apt list –upgradable.

In the example of DevShop, Python2 was used. Python2 is EOL (End Of Life) and DevShop should have upgraded to Python3.

You can check which modules are out of date in your project by running npm outdated. Before you update, make sure you test! Updates directly to the production environment comes with risk. Testing in a dev environment can save you a lot of headaches! Check out this recent issue: https://github.com/axios/axios/issues/5038

You can find vulnerable packages in your project by using Snyk. Just run snyk test in your terminal. You can find out more about the Snyk CLI here.

Learn more about Snyk and how we can keep your applications secure

• Snyk Code - find and fix vulnerabilities in your source code during the coding stage in your native workflow
• Snyk Container - find and fix vulnerabilities in container images and Kubernetes applications
• the Snyk Web UI provides a browser-based experience, along with functions such as configuration settings, filtering and fixing discovered issues, and reports