Security Testing 简明教程

Components with Vulnerabilities

This kind of threat occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges. If a vulnerable component is exploited, it makes the hacker’s job easier to cause a serious data loss or server takeover.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

using components with known vulnerabilities

Example

The following examples are of using components with known vulnerabilities −

  1. Attackers can invoke any web service with full permission by failing to provide an identity token.

  2. Remote-code execution with Expression Language injection vulnerability is introduced through the Spring Framework for Java based apps.

Preventive Mechanisms

  1. Identify all components and the versions that are being used in the webapps not just restricted to database/frameworks.

  2. Keep all the components such as public databases, project mailing lists etc. up to date.

  3. 为本质上易受攻击的组件添加安全包装器。