Find out answers and explanations to the weekly Deepfactor Deep Hacks! We are drawing from the experience of our community of security and dev professionals to provide you with helpful tips and things to watch out for as you’re creating secure cloud native apps.
Click to expand each weekly hack below for answers and explanations.
Deep Hack of the Week Jan 23, 2023: True or False—If you use open source libraries with known CVE you are 100% vulnerable to attacks.
Question: True or False—If you use open source libraries with known CVE you are 100% vulnerable to attacks.
If you use an open source library with known CVE, there is a likelihood that you are vulnerable to attacks, but it isn’t 100% certain. It is possible that you are not calling the vulnerable function or method call in your code and therefore your software is not vulnerable to attack. Traditional security tools like SAST or DAST do not provide runtime visibility into program behavior to give you full context about the exploitability of the vulnerability within your application. Modern tools like Deepfactor identify runtime risks, finding vulnerabilities in dev and test that are missed by static scanning. Watch this quick clip!
Deep Hack of the Week Jan 16, 2023: What percentage of a software code repository is usually third-party libraries?
Question: What percentage of a software code repository is usually third-party libraries?
Answer: Greater than 40%
Most developers do not realize the number of direct and indirect third-party dependencies that get pulled into their code repositories when they import a small number of dependencies. In fact node.js, one of the most notorious frameworks for having transitive dependenices, has libraries that pull more than 1000 of them. See how Deepfactor Developer Security can help. Watch this quick clip!
Deep Hack of the Week Jan 9, 2023: Find the security flaw in the following code snippet.
Question: Find the security flaw in the following code snippet:
from flask import Flask import requests app = Flask(__name__) @app.route("/", methods=['GET','POST']) def home(): if request.method == 'POST': URL = request.form.get('url') r = requests.get(url = URL, headers=headers) body = r.text header = r.headers
This program starts with an import of Flask, which is an indicator that this code snippet is using Python Flask framework and is backend code. If you observe deeply, you will notice that the URL parameter is coming from the client side (HTTP form) and is being directly used in requests.get, which allows an attacker to induce a connection to an internal resource.
Background / Context: Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. See how Deepfactor Developer Security can help. Watch this quick clip!
Deep Hack of the Week Jan 2, 2023: How can an attacker steal your credentials?
Question: How can an attacker steal credentials directly from your own application without having a victim browse to a phishing site?