Vulnerability in Third-party components

Analysis:

In web app vulnerability scanning, vulnerability in third-party components are always missed by scanners as components reside in off-site domains.

There have been XSS vulnerabilities identified:
http://jeremiahgrossman.blogspot.com/2010/06/full-disclosure-our-turn.html

http://yehg.net/lab/pr0js/advisories/sites/adbard.net/%5Badbard.net%5D_xss?1297312908


Lesson Learnt:

Manual testing and reviewing third-party components is necessary to detect vulnerabilities.  It's not worth to leak security flaws through buggy 3rd party components.

Comments

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

Jumping out of Touch Screen Kiosks

HttpOnly Session ID in URL and Page Body | Cross Site Scripting