[Security] Scanning Fortune 500 for JavaScript libraries with known vulerabilities

February 25, 2014 - 15:21 UTC - Tags: retire retirejs owasp After scanning Norway and Alexa Top 100,000, I decided to scan the Fortune 500 companies. Summarized 385 (77%) out of the 500 are using JavaScript libraries with known vulnerabilities. Which means they will have problems with OWASP Top 10 2013-A9 Using Components with Known Vulnerabilities. Again I would like to stress, that using a library with a known vulnerability, does not necessarily mean the site is vulnerable, because the vulnerable code may not be used.

Libraries

In the charts below red means the version has a known vulnerability

jQuery

jQuery is a very widely used library. I was surprised however to find so many different and old versions in use

jQuery UI

Loads of different versions

jQuery-mobile

Betas and release candidates in use here

YUI

The Yahoo User Interface Library is also quite widely used

Prototype.js

Quite a number of versions in use

Other

Permalink |

comments powered by Disqus

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter

Tag cloud

.net, .netspec, adam, ad lds, ajax, asp.net, authentication, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, cryptography, csp, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, retirejs, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss