March 10, 2019

OWASP Using Component with known vulnerability

Known vulnerabilities are those gaps in the application security that have been identified by the product developer or the user or the hacker or the intruder. To exploit this vulnerability a hacker looking for those exploitable components inside the system which mostly belongs to third party vendor. To identify these kind of components the hacker usually take the help of various type of vulnerability scanning tools or analysing the components manually and list down all the components running inside the application with the version details.

Almost all application should have some vulnerability because when developer develop the application he mostly concentrates on the coding not on the third party library component or plugins which is used by him in this application. So unknowingly most of the plugins run using root privilege and when the hacker successfully exploits this he easily compromised the application and gain access.

CVE or common vulnerability exposer is a service which enlists all the popular application vulnerabilities the moment the patch is released by someone and update this vulnerability with a CVE score for identification. This vulnerability update can be used for good purpose as well as bad purpose. Good people will take the patch and apply it inside the vulnerable machine to get it fixed. But the attacker wil take this vulnerability information for bad purpose, he will searching over the applications those are exploitable using the vulnerability. So it always a good practice to be up to date about the vulnerability information and patched it as soon as the patched is released.

Let’s have an example to know how to get information about vulnerable third party component and use it for exploitation.

Start burp suit and configure it with you browser. Make sure the intercept button under Proxy tab should be turned off.

Now load you target website from the browser and come back to burp suit.

Now check the HTTP history under Proxy In burp suit and select the URL you have just entered and come to Response tab below.

From the above screenshot we are getting three components and their version details. Now the next step will be searching for vulnerability and how to use that for exploitation.

Here we will take the available apache version to find any vulnerability exists.

Apache version 2.4.37              
Search the above version in Google to get the available vulnerabilities which is exploitable.

Select the first search result to get familiar with the vulnerability from the official website of apache.

According to apache, this version is vulnerable to DoS attack when used with OpenSSL 1.1.1 and coincidently our web server is running with open SSL 1.1.1. That means it can be effected by DoS attack if someone found this information.

I hope you have enjoyed my article so far, if you have any doubt or feedback on the same please write it down in the comment section below I will try to response you. Happy Hacking!!


  1. Your blog needs to have somebody who will get rid of nasty remarks just as wrong substance. You may likewise consider having the most significant remarks featured for you. blog comment service

  2. Learned a lot of new things in this post. This post gives a piece of excellent information…

    AWS Training in Hyderabad

  3. This is good site and nice point of view. Thank you for this wonderfull information.

  4. Thank you for taking the time and sharing this information with us. Discover the ultimate resource for EdTech enthusiasts! Explore our handpicked selection of top article submission sites that offer instant approval.
    For more info visit Top article Submission Sites list

  5. I found some useful information from this article, thanks for sharing the useful information. Explore Ziyyara Edutech’s best online tutoring sites for Class 11, offering private tuition classes designed to help you excel in chemistry and other subjects.
    For more info Contact us: +91-9654271931, +971-505593798 or visit Private tuition classes for class 11

  6. Excellent post, it will be definitely helpful for many people. Keep posting more like this. Embark on a transformative journey with our comprehensive online English classes in Kuwait.
    For more info visit Spoken english language Class in kuwait fahaheel