The Open Web Application Security Project (OWASP) announced the fixing of a critical vulnerability in its Enterprise Security API (ESAPI) whose exploitation could have allowed threat actors to run path traversal attacks. The flaw, which involved the ESAPI validator interface, was addressed with the release of version 2.3.0.0.
OWASP ESAPI offers a security controls library that can help software developers to write more secure code. This was designed to be embedded in web applications as a proactive security measures group. Although it could be hard to exploit the exposed component, OWASP encourages users of affected versions to install the most recent version as soon as possible.
Kevin Wall, co-leader of the OWASP ESAPI project, said: “Most applications using ESAPI probably don’t have the vulnerable method enabled.” With all the vulnerabilities in the library, it’s difficult to measure how exposed a generic application is to exploiting a flaw in a library.”
The developer also mentioned that even when Validator.getValidDirectoryPath() is used within an application, that doesn’t mean it’s exploitable within your own application, so a successful attack is different as the case may be.
In most cases where exploitation is possible, the vulnerable ESAPI would be used in conjunction with a web application firewall (WAF) or intrusion detection software, further limiting the scope of the attack. The vulnerability received a score of 7.5/10 as per the Common Vulnerability Scoring System (CVSS).
Although everything indicates that it is unlikely that this flaw will be exploited in the wild, and it is even less likely that it can cause severe damage, Wall believes that developers have a lot to learn from this kind of reports. To get started, application developers using these libraries should use software analysis tools and know their respective advantages and disadvantages.
In addition, when experts decide not to address these failures, it is best to implement in-depth analysis and see exactly how a similar failure could affect the operation of your applications in order to know the best method to follow to mitigate the risk.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
