{% extends 'introduction/base.html' %}
{% block content %}
{% block title %}
<title>Using Components with Known Vulnerabilities</title>
{% endblock %}
<div class="content">
    <h3>Using Components with Known Vulnerabilities</h3>
    <div class="box">

        <h4>What does Using Components with Know Vulnerability means?</h4>
        <p class="bp"> When a developer uses a piece of code or library which already has a known vulnerability, then
            this may result in compromise of the entire application. This occurs when the components such as libraries
            and frameworks used within the app mostly execute with full privileges. If a vulnerable component is
            exploited, it makes the hacker’s job easier to cause a serious data loss or server takeover.

        </p>
        </p>
        <button class="coll btn btn-info">Lab 1 Details</button>
        <div class="lab">
            <p class="bp">
                This lab helps us to understand why components with known vulnerabilities can be a serious issue.
                <br>
                The user on accessing the lab is provided with a feature to convert yaml files into json objects.
                A yaml file needs to be chosen and uploaded to get the json data.
                There is also a get version feature which tells the user the version of the library the app uses.

                <b>Exploiting the vulnerability.</b>
            <ul>
                <li>The app uses <code>pyyaml 5.1</code> Which is vulnerable to code execution.</li>
                <li>You can google the library with the version to get the poc and vulnerability details</li>
                <li>Libraries known for the infamous code injection vulnerabilities are PyYAML 5.4 and Log4J </li>
                <li> Create An yaml file with this payload:</li>
                <code>!!python/object/apply:subprocess.Popen<br>
                - ls
            </code>
                <li> On Uploading this file the user should be able to see the output of the command executed in the
                    Terminal running Django.</li>

            </ul>

            </p>
            </p>

            <br>
            <div align="right"> <button class="btn btn-info" type="button"
                    onclick="window.location.href='/a9_lab'">Access Lab</button></div>

            </p>
        </div>
        <button class="coll btn btn-info">Lab 2 Details</button>
        <div class="lab">
            <p class="bp">
                This lab helps us to understand why components with known vulnerabilities can be a serious issue.
                <br>
                This is website for some image manupulation.    

                <b>Exploiting the vulnerability.</b>
                <ul>
                    <li>The app uses <code>Pillow 8.0.0</code> Which is vulnerable to code execution.</li>
                    <li>You can google the library with the version to get the poc and vulnerability details</li>
                </ul>

            </p>
            <br>
            <div align="right"> <button class="btn btn-info" type="button"
                    onclick="window.location.href='/a9_lab2'">Access Lab</button></div>

            </p>
        </div>
        <br>
        <h4>Mitigation</h4>
        <p class="bp">
        <ul>
            <li>Remove unused dependencies, unnecessary features, components, files, and documentation.</li>
            <li>Only obtain components from official sources over secure links. Prefer signed packages to reduce the
                chance of including a modified, malicious component.</li>
            <li>Monitor for libraries and components that are unmaintained or do not create security patches for older
                versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect
                against the discovered issue.</li>
            <li>Use Library scanners to test for Vulnerabilities in packages.</li>



        </ul>
        </p>



    </div>
</div>



{% endblock %}