[Security] Scanning Alexa Top 100,000 for JavaScript libraries with known vulerabilities

February 24, 2014 - 20:10 UTC - Tags: After scanning Norway I decided to scan the Alexa top 100,000 sites. Summarized over 60% are using JavaScript libraries with known vulnerabilities. Which means they will have problems with OWASP Top 10 2013-A9 Using Components with Known Vulnerabilities. I would like to stress though, that using a library with a known vulnerability, does not necessarily mean the site is vulnerable, because the vulnerable code may not be used.

Overall results

Top 1,000 - 551 - 55,1% using libraries with known vulnerabilities
Top 10,000 - 6,185 - 61,85% using libraries with known vulnerabilities
Top 100,000 - 60,866 - 60,866% using libraries with known vulnerabilities

Libraries

jQuery

jQuery is a very widely used library. I was surprised however to find so many different and old versions in use

jQuery UI

Loads of different versions

jQuery-mobile

Betas and release candidates in use here

YUI

The Yahoo User Interface Library is also quite widely used

Prototype.js

Quite a number of versions in use

Other

Permalink |

comments powered by Disqus

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter

Tag cloud

.net, .netspec, adam, ad lds, ajax, asp.net, authentication, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, cryptography, csp, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, retirejs, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss