[Owasp-leaders] Examples of sites compromised due to old js libs?

Rogan Dawes rogan at dawes.za.net
Thu Dec 11 13:48:29 UTC 2014


It's a bit of an odd one. I'd expect dodgy JS libs to be associated
with dodgy server side code, unless the vuln is a DOM-XSS, leading to
compromise of the site via e.g. admin file upload, etc.

In other words, I don't see how vulnerable JS can lead to server side
compromise, other than through XSS and abusing existing server side
functionality as the compromised user. The whole point of client-side
JS is that it is untrusted, since it runs in an untrusted environment.
All it should be able to do is compromise the environment it is
running in, namely the user's browser.

On Mon, Dec 8, 2014 at 5:09 PM, psiinon <psiinon at gmail.com> wrote:
> Hey folks,
>
> Anyone got any examples of sites compromised via old javascript libraries
> with known vulnerabilities?
>
> A student has ported Retire.js to a ZAP add-on but her professor is not a
> security guy and wants some evidence that this is a real problem...
>
> Thanks,
>
> Simon
>
> --
> OWASP ZAP Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list