OWASP Top 10 part 6: Vulnerable and Outdated Components

Vulnerable and deprecated components are the use of components, libraries, or frameworks that contain known vulnerabilities.

1. Use of outdated versions of components

• Description: Using components that are no longer supported or contain known vulnerabilities.

• Example: Using older versions of libraries that have known security bugs that have not been patched.

2. Insufficient update of components

• Description: Neglecting to update components and libraries to the latest versions.

• Example: Ignoring patches or updates that fix known vulnerabilities.

3. Unreliable third-party components

• Description: Using third-party components without checking their security.

• Example: Integrating third-party libraries or frameworks without properly checking their security and integrity.

CVE (Common Vulnerabilities and Exposures)

Blue team

Use CVE databases such as CVE.mitre.org or Exploit-DB to regularly check your software for known vulnerabilities. Update all system components regularly to avoid using vulnerable versions.

CVE-2021-44228 (Log4Shell) vulnerability in the Log4j library. Installing updates or using settings that reduce risk.

Red team

Use known CVEs to attack the target system. Look for vulnerable versions of components or references to exploits in databases to gain penetration. Exploitation of CVE-2021-44228 to allow remote code execution on a server.

PHP Dependencies audit

Blue team

Use PHP dependency auditing tools such as Composer Audit to identify outdated and vulnerable dependencies. Keep track of dependency updates and regularly check the project for new vulnerabilities.

Red team

Look for vulnerable dependencies within the project. Use them for attacks, for example, through vulnerabilities in libraries or components. Find a vulnerability in an old version of a PHP library that could allow malicious code to be executed.

Node Dependencies audit

 Blue team

Use tools like npm audit or Yarn Audit to check Node.js dependencies for vulnerabilities. Regularly check the project for vulnerable packages and update them.

Red team

Check if the target system is using old versions of Node.js packages and look for exploits for the identified vulnerabilities. Exploiting a vulnerability in an older version of a library to perform attacks such as data theft or code execution.