Vulnerable and outdated components
Your code has more dependencies than ever, but are they secure?
What is a vulnerable and outdated component?
A vulnerable and outdated component is a software component that is no longer being supported by the developer, making it susceptible to security vulnerabilities. Many times, a component has known vulnerabilities that don’t get fixed due to a lack of maintainer.
Applications often become vulnerable to attacks because they use outdated software components with known security vulnerabilities. Hackers can exploit these vulnerabilities to gain access to the application's data or to take control of the application entirely. Outdated software components are also more likely to contain security vulnerabilities, as timely patching is a vital part of security posture.
About this lesson
In this lesson, you will learn about how vulnerable and outdated components can affect the security of an application, and how to protect your applications against them. We will step into the shoes of a malicious attacker who is able to gain access to the ex-employer's cloud account by exploiting an outdated NPM package.
Vulnerable and outdated components continue to be on OWASPs top 10 list and in 2021 it is listed at #6. It was on the list in 2013 and in 2017!
Sunny is a developer by day, and a hacker by night, who was recently unfairly (or so she says) fired from her job at a web development agency called DevShop. She's got revenge on her mind — and a whole lot of free time. Maybe it's time to put some of those hacking skills to good use!
Sunny takes a look at the main website of her ex-employer: devshop.io. There's functionality on the page for potential clients to upload files to better demonstrate the projects that they'd like to have developed. The file can either be uploaded from your local machine, or a URL can be specified.
Taking advantage of vulnerable and outdated components
- STEP 1
- STEP 2
- STEP 3
- STEP 4
- STEP 5
Setting the stage
Sunny is looking for revenge on her ex-employer, devshop.io. Let's see if we can take advantage of some vulnerable and outdated components!
In this case, the website was using an old version of an npm package called parse-url, which has a known vulnerability. This vulnerability occurs because the package incorrectly parses URLs in a specific way that allows the attacker to bypass hostname validation.
The backend code might look something like this:
Of course, we should never denylist URLs like this because there are many workarounds, but that's not how Sunny exploited this issue. Instead, she used CVE-2022-2900, a vulnerability in the parse-url node package, to bypass the check. You can find more details about this vulnerability in the Snyk Vulnerability Database.
What is the impact of vulnerable and outdated components?
The impact of this type of vulnerability varies considerably depending on the type of vulnerability that the outdated/vulnerable component is. At worst it can result in the complete loss of data integrity, data confidentiality and system availability.
Perhaps the most fundamental part of the mitigation is awareness of the modules that you are using in your project. In order to view which packages are being utilized, you can navigate to your application's parent folder and run npm ls.
To check if any of them have known vulnerabilities, you can run
► Running `snyk test` for /Users/lili/www/snyk/python-fix/packages/poetry/test/system/workspaces/with-pins✔ Looking for supported Python items✔ Processed 1 pyproject.toml items✔ DoneSuccessful fixes: ../python-fix/packages/poetry/test/system/workspaces/with-pins/poetry.lock✔ Upgraded django from 2.2.13 to 2.2.18✔ Upgraded jinja2 from 2.11.2 to 2.11.3Summary:1 items were successfully fixed10 issues: 4 High | 3 Medium | 3 Low10 issues are fixable10 issues were successfully fixed
You can also run
npm audit fix. In this case, the output shows the details of the parse-url vulnerability.
# npm audit reportparse-url <=8.0.0Severity: criticalparse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - https://github.com/advisories/GHSA-pqw5-jmp5-px4vServer-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2fix available via `npm audit fix`node_modules/parse-url1 critical severity vulnerability
Fixing outdated and vulnerable NPM packages
To fix any vulnerabilities in those packages, you can simply run
snyk fix (https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/automatic-remediation-with-snyk-fix) or alternatively, you can run
npm audit fix.
Keep modules up to date
You can check which modules are out of date in your project by running npm outdated. Before you update, make sure you test! Updates directly to the production environment comes with risk. Testing in a dev environment can save you a lot of headaches! Check out this recent issue: https://github.com/axios/axios/issues/5038
Learn more about Snyk and how we can keep your applications secure
- Snyk Code - find and fix vulnerabilities in your source code during the coding stage in your native workflow
- Snyk Container - find and fix vulnerabilities in container images and Kubernetes applications
- the Snyk Web UI provides a browser-based experience, along with functions such as configuration settings, filtering and fixing discovered issues, and reports
Now you know all about vulnerable and outdated components! You also know about the risks and mitigation techniques. We hope that you will apply this knowledge to make your applications safer. We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.