WEBVTT 00:00:00.000 --> 00:00:06.300 align:middle line:90% 00:00:06.300 --> 00:00:10.390 align:middle line:84% Welcome to Using Components with Known Vulnerabilities session. 00:00:10.390 --> 00:00:13.840 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:13.840 --> 00:00:16.550 align:middle line:84% Since this topic is pretty much straightforward, 00:00:16.550 --> 00:00:17.950 align:middle line:90% we will briefly discuss it. 00:00:17.950 --> 00:00:20.680 align:middle line:84% We'll also discuss how the system can be harmed, 00:00:20.680 --> 00:00:22.930 align:middle line:84% the impact of successful exploitation, 00:00:22.930 --> 00:00:25.000 align:middle line:84% and give you some insights to identify who 00:00:25.000 --> 00:00:27.410 align:middle line:90% may want to harm your system. 00:00:27.410 --> 00:00:29.800 align:middle line:84% Have you ever heard about dependency hell? 00:00:29.800 --> 00:00:32.560 align:middle line:90% If no, please check Wikipedia. 00:00:32.560 --> 00:00:34.840 align:middle line:84% Dependency hell can take several forms, 00:00:34.840 --> 00:00:36.640 align:middle line:84% and the most common in today's software, 00:00:36.640 --> 00:00:38.800 align:middle line:84% and specifically web applications, 00:00:38.800 --> 00:00:42.670 align:middle line:84% is the number of dependencies of a single application. 00:00:42.670 --> 00:00:45.490 align:middle line:84% Recent statistics say that 80% of the code 00:00:45.490 --> 00:00:49.640 align:middle line:84% in today's applications come from libraries and frameworks. 00:00:49.640 --> 00:00:52.160 align:middle line:84% Application owners do not always understand the security 00:00:52.160 --> 00:00:54.830 align:middle line:84% risk dependencies represent to the overall security 00:00:54.830 --> 00:00:56.420 align:middle line:90% of their applications. 00:00:56.420 --> 00:00:58.550 align:middle line:84% The risk of vulnerabilities in this component 00:00:58.550 --> 00:01:01.760 align:middle line:84% is widely ignored and underappreciated. 00:01:01.760 --> 00:01:04.370 align:middle line:84% Dependency management has been for a long time 00:01:04.370 --> 00:01:07.000 align:middle line:90% a big challenge. 00:01:07.000 --> 00:01:09.190 align:middle line:84% This table gives you an overview of the top 00:01:09.190 --> 00:01:12.140 align:middle line:84% five most dependent upon npm package-- 00:01:12.140 --> 00:01:14.920 align:middle line:84% the same technology used by our intentionally vulnerable 00:01:14.920 --> 00:01:16.300 align:middle line:90% application. 00:01:16.300 --> 00:01:18.790 align:middle line:84% Notice the number of dependent packages. 00:01:18.790 --> 00:01:20.470 align:middle line:84% Can you imagine how many applications 00:01:20.470 --> 00:01:23.110 align:middle line:84% will be affected by a single vulnerability in one 00:01:23.110 --> 00:01:24.940 align:middle line:90% of these packages? 00:01:24.940 --> 00:01:27.040 align:middle line:84% The request package, highlighted in red, 00:01:27.040 --> 00:01:29.650 align:middle line:84% was deprecated by its author and it is still 00:01:29.650 --> 00:01:31.480 align:middle line:90% being heavily downloaded-- 00:01:31.480 --> 00:01:33.930 align:middle line:90% check the weekly downloads. 00:01:33.930 --> 00:01:36.900 align:middle line:84% I think you now understand how big this problem is. 00:01:36.900 --> 00:01:39.030 align:middle line:90% Let's move on. 00:01:39.030 --> 00:01:41.640 align:middle line:84% When you realise that your application is made of several 00:01:41.640 --> 00:01:44.850 align:middle line:84% building blocks, and some of them are third party software, 00:01:44.850 --> 00:01:48.090 align:middle line:84% you'll have a good idea of the potential attack vectors. 00:01:48.090 --> 00:01:51.390 align:middle line:84% Nowadays, web applications rely on several free and open source 00:01:51.390 --> 00:01:53.700 align:middle line:84% components, developed and maintained 00:01:53.700 --> 00:01:56.100 align:middle line:84% by several individuals distributed 00:01:56.100 --> 00:02:00.080 align:middle line:84% on external registries but without any warranty. 00:02:00.080 --> 00:02:02.840 align:middle line:84% Some of these components are not well-maintained 00:02:02.840 --> 00:02:06.710 align:middle line:84% and others were even abandoned by their authors. 00:02:06.710 --> 00:02:10.039 align:middle line:84% Attackers may try to add back doors to popular components, 00:02:10.039 --> 00:02:12.020 align:middle line:84% contributing with some source code, which 00:02:12.020 --> 00:02:14.810 align:middle line:84% is not properly reviewed, and ends up delivered 00:02:14.810 --> 00:02:16.940 align:middle line:90% as part of the component. 00:02:16.940 --> 00:02:20.300 align:middle line:84% They can also publish their own malicious libraries or packages 00:02:20.300 --> 00:02:22.400 align:middle line:84% in the official registry, disguised 00:02:22.400 --> 00:02:24.410 align:middle line:90% as some useful functionality. 00:02:24.410 --> 00:02:27.410 align:middle line:84% Attackers can also go after registry's accounts, 00:02:27.410 --> 00:02:30.650 align:middle line:84% gaining control over popular components owner's account. 00:02:30.650 --> 00:02:33.710 align:middle line:84% When this happens-- and it already happened in the past-- 00:02:33.710 --> 00:02:38.010 align:middle line:84% attackers can modify the component being delivered. 00:02:38.010 --> 00:02:40.800 align:middle line:84% It's not easy to define the impact of using components 00:02:40.800 --> 00:02:42.360 align:middle line:90% with known vulnerabilities. 00:02:42.360 --> 00:02:44.580 align:middle line:84% Components-- such as libraries, frameworks, 00:02:44.580 --> 00:02:45.930 align:middle line:90% and other software modules-- 00:02:45.930 --> 00:02:49.080 align:middle line:84% run with the same privileges as the application-- what 00:02:49.080 --> 00:02:50.910 align:middle line:84% may undermine application defences 00:02:50.910 --> 00:02:54.000 align:middle line:84% and enable various attacks and impacts. 00:02:54.000 --> 00:02:56.640 align:middle line:84% Its reduced vulnerabilities can be of any type. 00:02:56.640 --> 00:02:58.980 align:middle line:84% It can lead not only to severe data losses, 00:02:58.980 --> 00:03:01.770 align:middle line:84% allowing attackers to bypass authentication mechanisms, 00:03:01.770 --> 00:03:05.340 align:middle line:84% exclude privileges, or accessing arbitrary files, 00:03:05.340 --> 00:03:09.060 align:middle line:84% but also to full system takeover via remote code execution 00:03:09.060 --> 00:03:13.670 align:middle line:84% or providing access to remote administrative interfaces. 00:03:13.670 --> 00:03:16.580 align:middle line:84% It is fairly easy to find already written exploits 00:03:16.580 --> 00:03:18.230 align:middle line:90% for known vulnerabilities. 00:03:18.230 --> 00:03:20.030 align:middle line:84% There are automated tools to test 00:03:20.030 --> 00:03:22.760 align:middle line:84% on vulnerabilities with available exploits in a target 00:03:22.760 --> 00:03:23.930 align:middle line:90% application. 00:03:23.930 --> 00:03:28.430 align:middle line:84% This makes the task simple, even for not-so-technical people. 00:03:28.430 --> 00:03:31.880 align:middle line:84% Most applications rely on third party code, either libraries, 00:03:31.880 --> 00:03:33.350 align:middle line:90% modules, or packages. 00:03:33.350 --> 00:03:35.600 align:middle line:84% Anyone contributing to such dependencies 00:03:35.600 --> 00:03:37.880 align:middle line:90% may introduce back doors. 00:03:37.880 --> 00:03:40.360 align:middle line:84% You'll find this table in the last top 10. 00:03:40.360 --> 00:03:43.660 align:middle line:84% Pause the video and take your time to carefully read it. 00:03:43.660 --> 00:03:46.090 align:middle line:84% In the next part, we will exploit a component 00:03:46.090 --> 00:03:48.700 align:middle line:84% of our intentionally vulnerable application which 00:03:48.700 --> 00:03:51.300 align:middle line:90% has a known vulnerability. 00:03:51.300 --> 00:03:52.000 align:middle line:90%