WEBVTT 00:00:00.000 --> 00:00:05.990 align:middle line:90% 00:00:05.990 --> 00:00:07.610 align:middle line:84% Welcome to the third and last part 00:00:07.610 --> 00:00:11.060 align:middle line:84% of Using Components with Known Vulnerabilities session. 00:00:11.060 --> 00:00:14.240 align:middle line:84% In this part, we will discuss mitigation. 00:00:14.240 --> 00:00:15.890 align:middle line:84% We will start discussing what makes 00:00:15.890 --> 00:00:18.020 align:middle line:84% an application vulnerable, and then we 00:00:18.020 --> 00:00:21.380 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:21.380 --> 00:00:23.810 align:middle line:84% Before closing this session, we will discuss how 00:00:23.810 --> 00:00:26.060 align:middle line:90% to avoid such vulnerabilities. 00:00:26.060 --> 00:00:28.670 align:middle line:84% Not knowing what components in the respective versions 00:00:28.670 --> 00:00:32.600 align:middle line:84% your application depends upon directly or indirectly, 00:00:32.600 --> 00:00:36.380 align:middle line:84% both client and server side, makes it vulnerable. 00:00:36.380 --> 00:00:40.430 align:middle line:84% Software that is vulnerable, unsupported, or out of date, 00:00:40.430 --> 00:00:42.440 align:middle line:84% leaves the application vulnerable. 00:00:42.440 --> 00:00:44.210 align:middle line:84% Frameworks, libraries, and modules 00:00:44.210 --> 00:00:46.400 align:middle line:84% tend to run with the same level of privileges 00:00:46.400 --> 00:00:48.630 align:middle line:90% than the application itself. 00:00:48.630 --> 00:00:51.980 align:middle line:84% If components' configurations are not set to secure values, 00:00:51.980 --> 00:00:54.150 align:middle line:84% then your application is at risk. 00:00:54.150 --> 00:00:57.980 align:middle line:84% We have discussed security misconfigurations already. 00:00:57.980 --> 00:01:01.010 align:middle line:84% If vulnerability scanning is not performed frequently, 00:01:01.010 --> 00:01:04.340 align:middle line:84% then components' vulnerabilities may pass unnoticed. 00:01:04.340 --> 00:01:07.670 align:middle line:84% The same is valid if you do not subscribe to security bulletins 00:01:07.670 --> 00:01:09.590 align:middle line:90% related to components in use. 00:01:09.590 --> 00:01:12.080 align:middle line:84% New vulnerabilities and exploits are found 00:01:12.080 --> 00:01:14.500 align:middle line:90% and published all the time. 00:01:14.500 --> 00:01:18.340 align:middle line:84% Of course, if you do not patch, update, nor upgrade components 00:01:18.340 --> 00:01:21.760 align:middle line:84% in a timely fashion, then your application is at risk. 00:01:21.760 --> 00:01:25.480 align:middle line:84% Performing such tasks without proper compatibility testing 00:01:25.480 --> 00:01:28.710 align:middle line:84% may also put the application at risk. 00:01:28.710 --> 00:01:31.160 align:middle line:84% Let's have a look at the source code. 00:01:31.160 --> 00:01:34.580 align:middle line:84% From Juice Shop project page, we will jump to the GitHub repo. 00:01:34.580 --> 00:01:40.110 align:middle line:90% 00:01:40.110 --> 00:01:42.900 align:middle line:84% We're looking for the server.js file where 00:01:42.900 --> 00:01:44.730 align:middle line:90% application setup is performed. 00:01:44.730 --> 00:02:02.480 align:middle line:90% 00:02:02.480 --> 00:02:04.990 align:middle line:84% We are now looking for some authenticated route, 00:02:04.990 --> 00:02:07.750 align:middle line:84% since this is what Juice Shop uses JWT for. 00:02:07.750 --> 00:02:39.480 align:middle line:90% 00:02:39.480 --> 00:02:42.510 align:middle line:84% The isAuthorized method from in security 00:02:42.510 --> 00:02:44.700 align:middle line:84% looks to be what we are looking for. 00:02:44.700 --> 00:02:46.787 align:middle line:84% Let's have a look at the implementation. 00:02:46.787 --> 00:03:13.160 align:middle line:90% 00:03:13.160 --> 00:03:17.180 align:middle line:84% The isAuthorized method is just a wrapper around the express 00:03:17.180 --> 00:03:18.035 align:middle line:90% JWT function. 00:03:18.035 --> 00:03:27.420 align:middle line:90% 00:03:27.420 --> 00:03:32.580 align:middle line:84% Express JWT is provided by the express-jwt package. 00:03:32.580 --> 00:03:34.140 align:middle line:84% Let's first check what version is 00:03:34.140 --> 00:03:36.420 align:middle line:84% used by Juice Shop checking the package.json 00:03:36.420 --> 00:03:37.770 align:middle line:90% file in the root folder. 00:03:37.770 --> 00:03:48.880 align:middle line:90% 00:03:48.880 --> 00:03:51.160 align:middle line:84% The package.json file has the inventory 00:03:51.160 --> 00:03:54.100 align:middle line:84% of required dependencies and we should find here 00:03:54.100 --> 00:03:55.090 align:middle line:90% the express-jwt. 00:03:55.090 --> 00:04:11.510 align:middle line:90% 00:04:11.510 --> 00:04:16.860 align:middle line:84% Juice Shop uses the 0.1.3 version. 00:04:16.860 --> 00:04:19.631 align:middle line:84% Let's now check packages documentation. 00:04:19.631 --> 00:04:39.790 align:middle line:90% 00:04:39.790 --> 00:04:42.400 align:middle line:84% Juice Shop is definitely using a very old version 00:04:42.400 --> 00:04:43.360 align:middle line:90% of this package-- 00:04:43.360 --> 00:04:53.980 align:middle line:90% current version is 6.0.0. 00:04:53.980 --> 00:04:56.410 align:middle line:84% Let's check package issues on GitHub, 00:04:56.410 --> 00:04:58.690 align:middle line:84% searching for security related ones. 00:04:58.690 --> 00:05:32.250 align:middle line:90% 00:05:32.250 --> 00:05:35.130 align:middle line:84% This one seems to be exactly the reason why Juice Shop is 00:05:35.130 --> 00:05:40.890 align:middle line:84% vulnerable. express-jwt versions prior to 0.2.2 were vulnerable, 00:05:40.890 --> 00:05:45.610 align:middle line:84% and we saw that Juice Shop still uses one of those versions. 00:05:45.610 --> 00:05:48.910 align:middle line:84% Let's talk about how to mitigate these issues. 00:05:48.910 --> 00:05:51.670 align:middle line:84% Restrict your dependencies to the bare minimum. 00:05:51.670 --> 00:05:55.900 align:middle line:84% Audit every dependency before adding it to your application. 00:05:55.900 --> 00:05:58.375 align:middle line:84% Remove unused dependencies, unnecessary features 00:05:58.375 --> 00:06:01.210 align:middle line:84% and components, files, and documentation. 00:06:01.210 --> 00:06:04.660 align:middle line:84% What is not there cannot hurt your application. 00:06:04.660 --> 00:06:06.910 align:middle line:84% Continuously inventory client and server side 00:06:06.910 --> 00:06:10.960 align:middle line:84% components and their versions, as well as their dependencies. 00:06:10.960 --> 00:06:15.160 align:middle line:84% Monitor sources like CV and NVD for vulnerabilities 00:06:15.160 --> 00:06:18.460 align:middle line:84% in components that belong to your inventory. 00:06:18.460 --> 00:06:21.040 align:middle line:84% Obtain components only from trusted sources 00:06:21.040 --> 00:06:22.810 align:middle line:90% over a secure connection. 00:06:22.810 --> 00:06:25.510 align:middle line:84% Prefer signed packages to avoid installing 00:06:25.510 --> 00:06:27.880 align:middle line:90% modified malicious components. 00:06:27.880 --> 00:06:31.030 align:middle line:84% Monitor and maintain libraries and components, as well as 00:06:31.030 --> 00:06:32.740 align:middle line:84% those that do not provide security 00:06:32.740 --> 00:06:37.120 align:middle line:84% patches for old versions belonging to your inventory. 00:06:37.120 --> 00:06:40.030 align:middle line:84% In our next session, we will discuss insufficient logging 00:06:40.030 --> 00:06:41.050 align:middle line:90% and monitoring. 00:06:41.050 --> 00:06:43.510 align:middle line:84% Until then, take your time to carefully read 00:06:43.510 --> 00:06:45.670 align:middle line:84% the Using Components with Known Vulnerabilities 00:06:45.670 --> 00:06:48.500 align:middle line:90% section of OWASP Top 10. 00:06:48.500 --> 00:06:49.000 align:middle line:90%