[Security] Scanning Norway for JavaScript libraries

January 9, 2014 - 22:36 UTC - Tags: javascript retire.js retirejs After working on retire.js I decided to take it for a real test run. I setup a node script with phantomjs and scanned the landing page of 150,000 Norwegian domains. These are the results. You will find that a lot of sites are using really old versions of libraries with known vulnerabilities (red means the library has known vulnerabilities). I think this supports the idea that most sites have the jQuery version that was available when the site was first made. Oh, and using a vulnerable library does not necessarily mean the site is vulnerable, but it might be.

Updated 8th of February, 2014:

jQuery

jQuery is a very widely used library. I was surprised however to find so many different and old versions in use

jQuery UI

Loads of different versions

jQuery-mobile

Betas and release candidates in use here

YUI

The Yahoo User Interface Library is also quite widely used

Prototype.js

Quite a number of versions in use

Other

Permalink |

comments powered by Disqus

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter

Tag cloud

.net, .netspec, adam, ad lds, ajax, asp.net, authentication, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, cryptography, csp, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, retirejs, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss