In which case does the Security misconfiguration vulnerability apply to?Is there a base version of jQuery...
Can a bald person be a Nazir?
Clarification on Integrability
What can Amex do if I cancel their card after using the sign up bonus miles?
How to "add" units to results of pgfmathsetmacro?
What is a "soap"?
Why aren’t there water shutoff valves for each room?
Does EU compensation apply to flights where the departure airport closes check-in counters during protests?
Markov-chain sentence generator in Python
Why is Python 2.7 still the default Python version in Ubuntu?
Possible to ground-fault protect both legs of a MWBC with two single-pole breakers?
What is the status of this patent?
Beginner in need of a simple explanation of the difference between order of evaluation and precedence/associativity
Why won't the Republicans use a superdelegate system like the DNC in their nomination process?
In which case does the Security misconfiguration vulnerability apply to?
What are those bumps on top of the Antonov-225?
Who invented Monoid?
Modeling the uncertainty of the input parameters
Are employers legally allowed to pay employees in goods and services equal to or greater than the minimum wage?
How can I see if the data in a SQL Server table is page-compressed?
Boss wants me to ignore a software API license prohibiting mass download
What is the difference between 王 and 皇?
Running code generated in realtime in JavaScript with eval()
Telephone number in spoken words
How do I call a 6-digit Australian phone number with a US-based mobile phone?
In which case does the Security misconfiguration vulnerability apply to?
Is there a base version of jQuery which has no XSS vulnerability?How does OWASP rank the top 10 risks?Is there a base version of jQuery which has no XSS vulnerability?What would be the impact of a CVE-2015-9251 vulnerability?Does choice of DBMS matters in the protection of XSS and other injection attacks
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Our web application uses a HTML file with jQuery embedded inside.
According to jQuery license (https://jquery.org/license/), we have to leave the license header in tact, including the version number.
However our client reported this as a security risk as the version number is exposed. Strangely, bootstrap version in the same file is not reported as a security risk.
Many applications use libraries with version numbers inside, it's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.
In which case this vulnerability (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) applies? And how can we resolve this issue without violating jQuery license?
license-enforcement owasp-top-ten jquery
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Our web application uses a HTML file with jQuery embedded inside.
According to jQuery license (https://jquery.org/license/), we have to leave the license header in tact, including the version number.
However our client reported this as a security risk as the version number is exposed. Strangely, bootstrap version in the same file is not reported as a security risk.
Many applications use libraries with version numbers inside, it's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.
In which case this vulnerability (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) applies? And how can we resolve this issue without violating jQuery license?
license-enforcement owasp-top-ten jquery
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
3
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago
add a comment |
Our web application uses a HTML file with jQuery embedded inside.
According to jQuery license (https://jquery.org/license/), we have to leave the license header in tact, including the version number.
However our client reported this as a security risk as the version number is exposed. Strangely, bootstrap version in the same file is not reported as a security risk.
Many applications use libraries with version numbers inside, it's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.
In which case this vulnerability (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) applies? And how can we resolve this issue without violating jQuery license?
license-enforcement owasp-top-ten jquery
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Our web application uses a HTML file with jQuery embedded inside.
According to jQuery license (https://jquery.org/license/), we have to leave the license header in tact, including the version number.
However our client reported this as a security risk as the version number is exposed. Strangely, bootstrap version in the same file is not reported as a security risk.
Many applications use libraries with version numbers inside, it's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.
In which case this vulnerability (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) applies? And how can we resolve this issue without violating jQuery license?
license-enforcement owasp-top-ten jquery
license-enforcement owasp-top-ten jquery
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
edited 21 hours ago
schroeder♦
84.7k34 gold badges188 silver badges228 bronze badges
84.7k34 gold badges188 silver badges228 bronze badges
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
asked 21 hours ago
stormtrooperstormtrooper
361 bronze badge
361 bronze badge
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
3
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago
add a comment |
2
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
3
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago
2
2
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
3
3
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago
add a comment |
4 Answers
4
active
oldest
votes
The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.
However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.
Furthermore, there are other ways to mitigate this:
- Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.
- Update the client libraries whenever a security problem is identified.
If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.
– Kaiido
5 hours ago
add a comment |
Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.
Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".
So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
add a comment |
I'm not 100% sure whether or not this is a duplicate question, if it should be marked as such please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.
One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client, is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number. In many cases it won't be, but in other it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.
As to why Bootstrap is reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.
answered 21 hours ago
jfran3jfran3
716 bronze badges
add a comment |
It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.
Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.
Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.
Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1
Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.
Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.
Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215205%2fin-which-case-does-the-security-misconfiguration-vulnerability-apply-to%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.
However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.
Furthermore, there are other ways to mitigate this:
- Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.
- Update the client libraries whenever a security problem is identified.
If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.
– Kaiido
5 hours ago
add a comment |
The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.
However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.
Furthermore, there are other ways to mitigate this:
- Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.
- Update the client libraries whenever a security problem is identified.
If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.
– Kaiido
5 hours ago
add a comment |
The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.
However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.
Furthermore, there are other ways to mitigate this:
- Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.
- Update the client libraries whenever a security problem is identified.
If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.
However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.
Furthermore, there are other ways to mitigate this:
- Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.
- Update the client libraries whenever a security problem is identified.
If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
answered 20 hours ago
SjoerdSjoerd
22k9 gold badges51 silver badges71 bronze badges
22k9 gold badges51 silver badges71 bronze badges
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.
– Kaiido
5 hours ago
add a comment |
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.
– Kaiido
5 hours ago
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.
– Luc
20 hours ago
@Luc I would argue that it's simply useless, you can access this through
$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.– Kaiido
5 hours ago
@Luc I would argue that it's simply useless, you can access this through
$.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.– Kaiido
5 hours ago
add a comment |
Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.
Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".
So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
add a comment |
Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.
Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".
So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
add a comment |
Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.
Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".
So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.
Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".
So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
answered 20 hours ago
schroeder♦schroeder
84.7k34 gold badges188 silver badges228 bronze badges
84.7k34 gold badges188 silver badges228 bronze badges
add a comment |
add a comment |
I'm not 100% sure whether or not this is a duplicate question, if it should be marked as such please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.
One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client, is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number. In many cases it won't be, but in other it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.
As to why Bootstrap is reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.
answered 21 hours ago
jfran3jfran3
716 bronze badges
add a comment |
I'm not 100% sure whether or not this is a duplicate question, if it should be marked as such please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.
One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client, is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number. In many cases it won't be, but in other it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.
As to why Bootstrap is reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.
answered 21 hours ago
jfran3jfran3
716 bronze badges
add a comment |
I'm not 100% sure whether or not this is a duplicate question, if it should be marked as such please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.
One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client, is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number. In many cases it won't be, but in other it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.
As to why Bootstrap is reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.
answered 21 hours ago
jfran3jfran3
716 bronze badges
I'm not 100% sure whether or not this is a duplicate question, if it should be marked as such please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.
One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client, is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number. In many cases it won't be, but in other it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.
As to why Bootstrap is reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.
answered 21 hours ago
jfran3jfran3
716 bronze badges
answered 21 hours ago
jfran3jfran3
716 bronze badges
answered 21 hours ago
jfran3jfran3
716 bronze badges
answered 21 hours ago
jfran3jfran3
716 bronze badges
716 bronze badges
add a comment |
add a comment |
It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.
Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.
Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.
Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1
Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.
Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.
Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
add a comment |
It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.
Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.
Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.
Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1
Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.
Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.
Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
add a comment |
It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.
Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.
Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.
Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1
Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.
Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.
Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.
Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.
Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.
Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1
Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.
Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.
Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
answered 1 hour ago
TomTom
6,2979 silver badges37 bronze badges
6,2979 silver badges37 bronze badges
add a comment |
add a comment |
stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.
stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.
stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.
stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215205%2fin-which-case-does-the-security-misconfiguration-vulnerability-apply-to%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.
– schroeder♦
21 hours ago
3
"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.
– Luc
20 hours ago
Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.
– MechMK1
16 hours ago