¿Tu web está en riesgo? Descubre por qué las librerías obsoletas son una bomba de tiempo

"Is your website at risk? Discover why outdated libraries are a ticking time bomb"

February 10, 2025 Celia Catalán

Vulnerable and Outdated Components

Introduction

Modern web applications follow multi-component software architectures such as databases, APIs (Application Programming Interface), libraries, frameworks, operating systems, etc. The management and inventory of software components is a basic and necessary task for organizations, given its importance in ensuring security, maintaining compatibility, optimizing performance, reducing operational risks, and ensuring compliance with current regulations and licenses such as ISO or GDPR.

"As a consequence of the lack of maintenance of software components, there are risks such as the vulnerability of Vulnerable and Outdated Components, which is one of the main security threats identified in the OWASP Top Ten of 2021, ranked in sixth position."

Vulnerable Components vs Outdated Components

Vulnerable Components are those that have security vulnerabilities that attackers can exploit to access sensitive information or gain access to the system.

On the other hand, Outdated Components refers to the use of software components that no longer receive security updates, and therefore lack security patches that address existing vulnerabilities.

Impact

Some of the vulnerabilities that affect vulnerable or outdated components and that may be susceptible to exploitation by malicious users are as follows:

Code Injection: A security vulnerability that allows an attacker to introduce malicious code into an application (typically through unvalidated or poorly sanitized user inputs) which is executed by the application, allowing the attacker to perform unauthorized actions.

Buffer overflow: Buffer overflows occur when the allocated memory capacity is exceeded, allowing attackers to alter and corrupt data in adjacent memory. This can result in the execution of malicious code that causes system crashes, alters security controls, or allows privilege escalation.

Cross Site Scripting: Cross-Site Scripting is a critical risk for modern web applications, as it allows attackers to inject malicious scripts into trusted sites. A common approach is stored XSS, where attackers insert scripts into vulnerable third-party components, taking advantage of the lack of updates and security reviews, which can lead to persistent threats affecting multiple users and systems.

Identify vulnerable and outdated components

The first step in detecting vulnerable components is to identify the existing software in the application or system and their versions. Identifying these versions may involve different approaches, tools, and techniques, such as those discussed below:

Source code: The code is the backbone of any software and, if it contains security flaws, it can be exploited to compromise the integrity, confidentiality, and availability of a system. Vulnerabilities in the code often arise from poor programming practices or from the integration of outdated third-party libraries.

Static Application Security Testing (SAST) is a technique that allows for the review of an application's source code without executing it, with the aim of identifying patterns that represent security vulnerabilities. This analysis is carried out using automated tools that detect bad practices, violations of secure programming standards, and the use of critical functions.

Display of versions in the frontend: It is common to find in web applications versions of the components used in the public interface.

HTTP Headers: Some web applications and servers expose software versions in the HTTP headers of responses. These headers may include details such as the web server used (Apache, Nginx, IIS), versions of PHP, Python, ASP.NET, or even information about frameworks such as Django or Ruby on Rails.

The following are some examples of useful headers:

Server: Exposes the type and version of the web server.

Example: Server: Apache/2.4.49 (Ubuntu)

X-Powered-By: Indicates the programming language or framework used.

Example: X-Powered-By: PHP/7.4.3 or X-Powered-By: ASP.NET

Via: It may reveal details about proxies or gateways used.

Example: Way: 1.1 vegur

X-AspNet-Version: ASP.NET application specific.

Example: X-AspNet-Version: 4.0.30319

X-Drupal-Cache: In systems based on Drupal.

Example: X-Drupal-Cache: HIT

Triggering errors: The practice of subjecting a system, application, or software to situations that trigger unexpected behaviors, failures, or unusual responses can reveal some of the technologies used.

This technique is known in the field of cybersecurity as fuzzing or fuzz testing, and its objective is to detect vulnerabilities or flaws in the robustness of software by introducing random, malformed, or anomalous inputs to provoke errors and analyze the responses.

Banner Grabbing: Banner grabbing is a widely used technique to obtain information about the versions of services running on a server. Many services, such as web servers, FTP, SSH, or SMTP, return banners upon connection that include the name of the software, its version, and sometimes additional information.

Vulnerability scanning and service enumeration tools: Vulnerability scanning tools typically identify component versions based on the responses that servers or services provide to certain requests or characteristics.

Interaction with APIs: Many web applications expose APIs that provide details about the software, including versions. Some APIs return this information in HTTP headers or JSON responses.

Some interesting tools

There are many useful tools that facilitate the identification of versions in a web application. Some of them are the following:

Nmap

"One of the most popular tools for network and service scanning. Its NSE scripts (Nmap Scripting Engine) allow for the detection of specific server and application versions."

To be able to use these scripts, the --script option is employed. Some interesting scripts for identifying software versions are http-enum and http-server-header.

Nessus / OpenVAS

These tools perform advanced vulnerability scans, identifying services, versions, and known vulnerabilities (CVE).

The biggest limitation of the Nessus tool, although more comprehensive and easier to use than OpenVAS, is its commercial use, with high licensing costs. Therefore, as an open-source alternative, there is OpenVAS.

Nobody

Nikto is an open-source tool designed to perform security scans on web servers. It is widely used in audits and penetration testing to identify common vulnerabilities, misconfigurations, outdated software versions, and other security issues on web servers.

"Its database is regularly updated to include new vulnerabilities and insecure configurations."

WhatWeb

WhatWeb is a reconnaissance tool included in Kali Linux designed to identify technologies used on websites. WhatWeb examines websites and extracts details about web servers, frameworks, content management systems (CMS), programming languages, libraries, configurations, and more.

Wappalyzer

A tool that is very convenient for getting a quick overview of what technologies are deployed in a web application is Wappalyzer. It can be installed as an extension for various browsers such as Chrome, Firefox, or Edge, and can display the versions of the involved technologies.

Retire.js

Retire.js is a tool specialized in identifying vulnerabilities in outdated or vulnerable JavaScript libraries and/or Node.JS modules.

"In addition, this tool has been directly integrated with BurpSuite and ZAP (Zed Attack Proxy) through a plugin whose link I am attaching below: https://github.com/h3xstream/burp-retire-js"

Once the version has been identified...

Once the version is identified by any of the methods mentioned above, it is necessary to compare the extracted data with databases such as CVE Details, Exploit DB, or https://www.metasploit.com/ to search for vulnerabilities associated with the specific versions.

Mitigation/Remediation

Maintain an inventory of employed technologies (libraries, frameworks, software components used in the application or system including details such as the specific versions of each component and their origin, which allows for quick identification of those that are outdated or vulnerable.

Stay updated: It is crucial to be aware of security updates and newly discovered vulnerabilities affecting the software components used. This involves subscribing to security bulletins, following databases of known vulnerabilities (such as CVE), using automated tools to detect outdated and vulnerable versions, and actively monitoring alerts from the providers of the technologies employed. Developers must maintain good security practices in the applications developed to avoid future issues.

Good development practices. It is advisable when developing web applications to avoid using libraries, frameworks, or tools that do not receive regular updates or that do not have an active community that can respond to vulnerabilities and improvement needs.

Alba Vara, Pentester at Zerolynx

return to blog