A06:2021 - Vulnerable and Outdated Components
For the information about Vulnerable and Outdated Components, visit page (opens in a new tab)
Vulnerable Packages
CWE-1035: Using Components with Known Vulnerabilities
About
We will use Snyk static tool analysis to detect packages with known vulnerabilities. If the fix is provided in another version of the package, we will update the package version. In the case when the package is not maintained or the vulnerability cannot be fixed just by updating the package, we will look for and implement a proper solution.
Vulnerable packages were detected at the time of preparing this part of the tutorial (19.3.2022). In the future, more vulnerabilities will be detected in used packages, which only highlights the importance of regular scanning of your project.
You will often encounter packages that are introduced by other packages. If the parent package does not provide an updated version with a fixed child package, you have to track down the child package and change the version manually.
Client side
Navigate to the client directory and run:
snyk testAmong all packages, nth-check and webpack packages introduced through react-scripts have a vulnerability.
Luckily, the fix is provided for both of them.
nth-check package
- In the whole project, replace the version of
nth-checkfrom 1.0.2 to 2.0.1. - Run
npm installto install the new version ofnth-check. - After running
snyk testagain, thenth-checkvulnerability should be fixed.
webpack package
Try to resolve this vulnerability by yourself. Just follow the same steps as for nth-check package, but update the version of webpack from 5.75.0 to 5.76.0.
Server side
Navigate to the server directory and run:
snyk testThere are two packages with known vulnerabilities: underscore and express-brute.
We will start with underscore.
underscore package
- In the whole project, replace the version of
underscorefrom 1.8.3 to 1.13.6. - Run
npm installto install the new version ofunderscore. - After running
snyk testagain, this vulnerability should be fixed.
express-brute package
The second vulnerability on the server side is identified as express-brute. This package is used to prevent brute-force attacks.
All versions of express-brute are vulnerable to Rate Limiting Bypass vulnerability.
Rate Limiting Bypass
Rate-limiting bypass is a type of attack that allows an attacker to bypass rate-limiting protection if not implemented properly. It can be circumvented by using:
- proxy server
- IP address spoofing (IP rotation)
- using specific headers in a request
- appending "null byte" to the end of targeted fields
The alternative package for express-brute is express-rate-limit. It is more popular and has no known
vulnerabilities.
In this tutorial, we will not replace the implementation of middleware, but you can try it yourself and verify if
the replacement works as expected without any vulnerabilities.
Which package to use?
You may be asking, how to determine which package to use to perform specific tasks. Yeah, sometimes you are happy that the particular package even exists that you do not have to code it yourself, and that you find it quickly. But, when you want to make your software product secure and reliable, make sure to follow the checklist below:
You can pick any of your personal/school projects and try to apply the checklist below. If the check is fulfilled, you can mark it as done by clicking the checkbox on the left of the description.
Now, we will illustratively compare express-brute and express-rate-limit packages based on the checklist above.
After comparison, it is pretty obvious which package to use...
Challenge
As mentioned in the beginning, more vulnerable packages and their versions will be detected by the time of practicing this tutorial.
As your personal challenge, based on the acquired knowledge, try to fix as many vulnerabilities as possible.