Most applications today use third-party libraries. If such a library contains a vulnerability, an app that uses this library may also be vulnerable. But how can you identify such problematic dependencies?
Dangers of vulnerable components
Let's say we have a simple web app that uses RestSharp, a fairly well-known REST API client library for .NET.
Our app receives some data in JSON format. Let's simplify it a bit and imagine that the handler receives the date string and parses it using the RestSharp extension method:
[HttpPost]
public IActionResult Index(string jsonDate)
{
DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);
// do something
return View();
}
It seems the worst thing that may happen — the string in jsonDate would have incorrect date format. However, here's what would happen:
- the dateTime object will receive the default value;
- then the value will be processed in a specific way;
- the sender will receive a reply.
So, is this code secure?
It depends on the RestSharp library version. If the version is earlier than 106.11.7, the library is vulnerable to ReDoS attacks (CVE-2021-27293). So, what? What does it all add up?
The point is that our request handler uses the ParseJsonDate function that uses a vulnerable regular expression. Hence, our application is vulnerable to ReDoS attacks as well.
To make sure that our application is vulnerable, I sent my app 10-15 requests from a browser at once. I passed the following string as the JSON date to my application:
new Date(000000000000000000000000000000000000000000000000000000000000000000
At the same time, I was using Process Hacker to monitor how the web service was consuming my system resources:
I wish I could send a dozen more requests, but my browser has frozen :(.
Let's get back to the code:
[HttpPost]
public IActionResult Index(string jsonDate)
{
DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);
// do something
return View();
}
It looks pretty innocuous, doesn't it? But if a real web application has similar code, it may be attacked and lead to a server overload (provided that a vulnerable version of RestSharp is used).
All right, everything is clear with RestSharp. We just need to update it to the newest version. And the app is secure, right?
Not really... Only one dependency is secure. What about others?
The ways to check a project for vulnerable components
SCA (Software Composition Analysis) is a tool that identifies open-source software vulnerabilities. Originally, SCA was used to manage the license compliance risks, but over the time the product has been scaled up. And now one of its main features is the detection of vulnerable components.
If the project depends on something insecure, the SCA solution reports a message as follows:
Referenced package RestSharp 106.11.5 contains vulnerability according to CVE-2021-27293: Incorrect Regular Expression in RestSharp.
Today we have various tools for dependency analysis. Some tools also integrate SAST (static application security testing). This allows you to look for potential vulnerabilities that can lead to attacks like XXE, SQL injection, XSS, etc. If you integrate both SAST and SCA, you'll be able to diagnose the problems both in source code and in dependencies.
If you are a C# programmer, you can try PVS-Studio: it integrates SAST and SCA tools. Download the trial here. To look for security flaws, enable OWASP diagnostics (the V5625 diagnostic searches for vulnerable dependencies).
Also, there are solutions for other programming languages. Here are the most popular tools:
- Mend (formerly WhiteSource) is a powerful solution from WhiteSource. It enables to check the code (Mend SAST) and dependency (Mend SCA) security.
- Black Duck is one of the main Synopsys products. It focuses specifically on dependency analysis. Although the company also has a tool for static security analysis — Coverity.
- Veracode provides popular solutions to look for security flaws in dependencies and code: Veracode Static Analysis (SAST) and Veracode Software Composition Analysis (SCA).
Conclusion
Any application may be vulnerable even if its code is correct. Vulnerable dependencies are sometimes hardly to find. So, the risks are really high because such dependencies may impact the app operation a lot.
SCA tools are not perfect — they can't make your code 100% secure. However, they definitely help detect vulnerable components. Moreover, you don't have to do it manually :).
Top comments (0)