The following are some of the commonly known vulnerable components in a web application:
- Adobe Flash Player: The Adobe Flash Player was commonly used as a multimedia player within a web browser. It supports application content such as online videos, audio, and games. However, over the years, many security vulnerabilities have been discovered and recorded, and users have been moving away from using this component on their web browsers. One recent vulnerability is CVE-2018-15982, which allows successful exploitations that lead to arbitrary code execution on a target system.
- JBoss Application Server: The JBoss Application Server is a Java web container that is both open source and able to operate cross-platform. At the time of writing this book, a severe vulnerability was found that enabled an attacker to remotely execute malicious code on a JBoss Application Server and therefore gain full control of the target.
The vulnerability affected all JBoss Application Server versions 4.0 and prior.
- Adobe ColdFusion: Adobe ColdFusion is a commercial web application development platform. Its design was intended to allow developers to easily connect HTML pages to a database. However, in 2018, a critical vulnerability was discovered that allows an attacker to upload data onto a compromised system with any restrictions, further allowing the attacker to gain control of the server using web shells. This vulnerability was recorded as CVE-2018-15961.
Please note that these are only some of the many vulnerable components that can be found on a web server. Over time, security researchers will continue to discover and record new vulnerabilities.
In the following section, we will briefly discuss Insecure Direct Object Reference (IDOR).