Using Components with Known Vulnerabilities
How are you unintentionally using components with known vulnerabilities?
Unless you are writing a really simple function which doesn’t do much, you will reuse software of other people. From development to deployment, you will use libraries, frameworks, technologies, etc. And guess what! Those third-party components will also depend on other components!
This comes at a cost. In fact, part of the third-party software components you will reuse will suffer from security vulnerabilities. Besides, you might even be using some malicious components. Therefore, checking your code is a need, not a luxury.
Let’s first understand how attackers find and exploit vulnerable components.
Step 1: Port Scanning – Identifying Open Services
Techniques & Tools for Port Scanning:
Before fingerprinting technologies, it's crucial to identify open ports and services running on the target system. This helps in determining which technologies might be in use.
Tools & Techniques for Port Scanning:
Nmap – A powerful network scanner for detecting open ports and running services. Example:
This scans all ports and retrieves service versions.
Masscan – A fast port scanner useful for large-scale scanning.
RustScan – An efficient alternative for scanning with automated Nmap integration.
Once open ports are identified, you can analyze the services to infer the technologies used (e.g., Apache/Nginx for web servers, MySQL/PostgreSQL for databases).
Step 2: Fingerprint Technologies
After identifying open ports, the next step is to determine the technologies running on the target. This includes web frameworks, CMS platforms, backend languages, and third-party services.
1. Checking HTTP Elements
HTTP responses often reveal information about the technology stack. Elements to inspect:
HTTP headers (
Server,X-Powered-By,Set-Cookie)Title values (
<title>tag in HTML)Hidden links to admin panels, login pages, etc.
Automated tools for fingerprinting HTTP elements:
Wappalyzer (Browser extension) – Detects frontend and backend technologies.
BuiltWith (Online tool) – Provides a full breakdown of a site's stack.
Manual approach using curl:
Look for headers like:
This tells us the site runs Apache on Ubuntu with PHP 7.4.3.
Dependency Hell
Projects using package managers (npm, pip, composer) often expose old versions:
2. Triggering Errors – Extracting Hidden Details
Web applications often expose technology details through error messages.
Remove expected parameters (e.g., deleting
?id=1in a URL).Send unexpected values (
' OR 1=1--,<script>alert(1)</script>, large payloads).
Example: Discovering a PHP backend
Visiting a malformed URL like target.com/index.php?id=' may return:
This reveals:
The site uses PHP (
.phpfile extension).The backend relies on MySQL (mysqli).
3. Forced Browsing – Discovering Hidden Technologies
Some technologies can be identified by accessing default files and directories that web applications leave exposed.
Automated tools for directory enumeration:
4. Source Code Analysis – Direct Dependency Discovery
If you gain access to the source code, you can directly analyze dependencies. Key files to check:
composer.json(PHP)package.json(JavaScript)requirements.txt(Python).env(Environment variables – may contain secrets)
Example: Finding Laravel version
A composer.json file might include:
This confirms the application runs Laravel 8.12.
Advanced Techniques: Because Script Kiddies Need Not Apply
A. Static Analysis of Source Code
Use Semgrep or CodeQL to find vulnerable code patterns. Example: Find eval() calls in PHP:
B. Fuzzing Endpoints
Use ffuf or Burp Intruder to find hidden vulnerabilities:
C. Machine Learning (ML) for Detection
Train an ML model to detect outdated versions in HTTP responses or GitHub commits.
Nuclei + Custom Templates: The Lazy Hacker’s Best Friend
Nuclei (by ProjectDiscovery) is a powerful vuln scanner. Example of Nuclei template i have write to find outdated software :
Run it:
Step 3: Identifying Public Vulnerabilities and Exploiting Weak Components
Once you have fingerprinted the technologies in use, the next step is to search for known vulnerabilities (CVEs) that affect those components. Public exploits may be available, allowing you to test the security of the target system.
1. Finding Known Vulnerabilities (CVEs)
There are several public databases where you can search for vulnerabilities in software components:
✅ Key resources for CVE hunting:
Exploit-DB → Public exploits repository
NVD (National Vulnerability Database) → CVE details
MITRE CVE Database → Official vulnerability records
GitHub Security Advisories → Vulnerabilities in repositories
Example: Finding an Apache Struts Vulnerability
Identify the target framework (e.g., Apache Struts 2.3.16).
Search Exploit-DB, GitHub, or Metasploit for version-specific exploits. Example: Exploit Apache Struts CVE-2017–5638:
If you find a CVE-2017-5638, check Exploit-DB for public exploits:
If an exploit exists, analyze it before execution.
2. Using Public Exploits (With Caution!)
While public exploits can be useful, never run them blindly without understanding how they work. Some exploits: ✅ Are unstable and may crash the target system. ✅ May contain malicious code that could harm your own machine.
Example: Remote Code Execution (RCE) in Apache Struts
A simple payload for CVE-2017-5638 might look like this:
This exploit leverages an OGNL injection vulnerability to execute arbitrary commands (whoami) on the server.
3. Dependency Confusion Attacks
If a company uses internal packages (e.g., @mycompany-private/core), upload a malicious package with the same name to public registries like npm or PyPI and wait for devs to install your spyware.
Practice examples of using components with known vulnerabilities
In this section, we will see how both vulnerable and malicious libraries can affect the security of your own code.
Case Study: Deserialization Vulnerability in XStream
OWASP WebGoat uses a vulnerable version of the XStream library to parse XML into Java objects. The vulnerable version is 1.4.5 and allows arbitrary command execution.
Finding the vulnerability in source code:
In pom.xml, you might find:
Looking for public exploits on the internet reveals that this version suffers from a severe deserialization vulnerability, which leads to remote code execution.
An attacker can Send the following code which will create the file /tmp/here on the docker container.
Malicious components and Typosquatting
Attackers often take advantage of typosquatting, a technique where they create malicious software packages with names similar to legitimate ones. If developers accidentally install the rogue package, their systems can be compromised.
Typosquatting relies on human error—a small typo while installing a package can lead to serious consequences. Attackers:
Create a package with a name that looks nearly identical to a real one.
Publish it on a popular package manager (e.g., PyPI, NPM, RubyGems).
Include malicious code that steals data or injects malware.
A Real-World Example for that in python3-dateutil Attack, A GitHub issue reported that an attacker created a rogue Python module named python3-dateutil, designed to resemble the legitimate package python-dateutil.
What happened?
Developers who mistakenly installed
python3-dateutilinstead ofpython-dateutilunknowingly ran malicious code.The rogue package exfiltrated SSH keys and internal system files to an attacker-controlled server.
A few hundred developers downloaded and used the malicious library, compromising their projects.
Bug bounty hunting reports
Last updated
