Wednesday, February 9, 2011

Vulnerability in Third-party components

Analysis:

In web app vulnerability scanning, vulnerability in third-party components are always missed by scanners as components reside in off-site domains.

There have been XSS vulnerabilities identified:
http://jeremiahgrossman.blogspot.com/2010/06/full-disclosure-our-turn.html

http://yehg.net/lab/pr0js/advisories/sites/adbard.net/%5Badbard.net%5D_xss?1297312908


Lesson Learnt:

Manual testing and reviewing third-party components is necessary to detect vulnerabilities.  It's not worth to leak security flaws through buggy 3rd party components.

No comments:

Post a Comment