Skip main navigation

Mitigation

In this video, Pedro Silva will review the risk associated with using components with known vulnerabilities. Watch how to mitigate these
6
Welcome to the third and last part of Using Components with Known Vulnerabilities session. In this part, we will discuss mitigation. We will start discussing what makes an application vulnerable, and then we will hunt OWASP Juice Shop vulnerable source code. Before closing this session, we will discuss how to avoid such vulnerabilities. Not knowing what components in the respective versions your application depends upon directly or indirectly, both client and server side, makes it vulnerable. Software that is vulnerable, unsupported, or out of date, leaves the application vulnerable. Frameworks, libraries, and modules tend to run with the same level of privileges than the application itself. If components’ configurations are not set to secure values, then your application is at risk.
54.2
We have discussed security misconfigurations already. If vulnerability scanning is not performed frequently, then components’ vulnerabilities may pass unnoticed. The same is valid if you do not subscribe to security bulletins related to components in use. New vulnerabilities and exploits are found and published all the time. Of course, if you do not patch, update, nor upgrade components in a timely fashion, then your application is at risk. Performing such tasks without proper compatibility testing may also put the application at risk. Let’s have a look at the source code. From Juice Shop project page, we will jump to the GitHub repo.
100.1
We’re looking for the server.js file where application setup is performed.
122.5
We are now looking for some authenticated route, since this is what Juice Shop uses JWT for.
159.5
The isAuthorized method from in security looks to be what we are looking for. Let’s have a look at the implementation.
193.2
The isAuthorized method is just a wrapper around the express JWT function.
207.4
Express JWT is provided by the express-jwt package. Let’s first check what version is used by Juice Shop checking the package.json file in the root folder.
228.9
The package.json file has the inventory of required dependencies and we should find here the express-jwt.
251.5
Juice Shop uses the 0.1.3 version. Let’s now check packages documentation.
279.8
Juice Shop is definitely using a very old version of this package– current version is 6.0.0. Let’s check package issues on GitHub, searching for security related ones.
332.3
This one seems to be exactly the reason why Juice Shop is vulnerable. express-jwt versions prior to 0.2.2 were vulnerable, and we saw that Juice Shop still uses one of those versions. Let’s talk about how to mitigate these issues. Restrict your dependencies to the bare minimum. Audit every dependency before adding it to your application. Remove unused dependencies, unnecessary features and components, files, and documentation. What is not there cannot hurt your application. Continuously inventory client and server side components and their versions, as well as their dependencies. Monitor sources like CV and NVD for vulnerabilities in components that belong to your inventory. Obtain components only from trusted sources over a secure connection. Prefer signed packages to avoid installing modified malicious components.
387.9
Monitor and maintain libraries and components, as well as those that do not provide security patches for old versions belonging to your inventory. In our next session, we will discuss insufficient logging and monitoring. Until then, take your time to carefully read the Using Components with Known Vulnerabilities section of OWASP Top 10.

In this video, you will briefly review what you have learned about the risk associated with using components with known vulnerabilities, and you will then look at ways to mitigate these vulnerabilities.

In the previous video, you saw how easily a hacker could take advantage of the OWASP Juice Shop because the system included a component with a known vulnerability. In this video, you will assess the source code to identify areas with vulnerabilities and focus on what to do to reduce your system’s vulnerability.

Investigate and share: Now that you’ve completed this section, go to the OWASP Using Components with Known Vulnerabilities page to see the table mentioned in Step 3.12 Threat Analysis. Read the additional information under the table. Within the context of what you’ve learned in this section, what stands out to you as the most important aspects to keep in mind moving forward? Share your thoughts in the comments section below.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education