Adding Test for Outdated and Unsupported Components

[cyspad]

What would you like added?

• Add Test for Vulnerable Technologies Using

Would you like to be assigned to this issue?

• [x] Assign me, please!

[rbsec]

This seems like a very generic title that could probably cover a large chunk of the guide. Are there specific technologies or areas that you're thinking about here?

[cyspad]

This seems like a very generic title that could probably cover a large chunk of the guide. Are there specific technologies or areas that you're thinking about here?

In this test case, the tester checks whether it checks for vulnerable technologies and libraries (CVE).

[cyspad]

Dear @rbsec and @kingthorin

Developers sometimes do not update the dependencies of the application and that dependency has a known vulnerability (CVES), for example, if it uses the jQuery library with version 3.4.1, it has CVE-2020-11023 and CVE-2020-11022 vulnerabilities in There is no such test case in wstg and I decided to add it.

[kingthorin]

This is covered in the information gathering section(s).

[cyspad]

This is covered in the information gathering section(s).

ok thanks

[rbsec]

I think that this is implied by the information gathering section, but there's perhaps some scope to make it a bit more explicit in some of the sections, and maybe to point to some specific tools (like retire.js) and references (wpscan vuln db, synk, etc) that can make this easier.

[cyspad]

ok but sometimes you don't have any information about your target, and you must be start testing CVE (Black Box) whit some tools like nuclei or nmap (--script vulners).

[cyspad]

I think that this is implied by the information gathering section, but there's perhaps some scope to make it a bit more explicit in some of the sections, and maybe to point to some specific tools (like retire.js) and references (wpscan vuln db, synk, etc) that can make this easier.

Please tell me i add a new test case or edit some part of information gathering testcases (send link of section)

[kingthorin]

ok but sometimes you don't have any information about your target, and you must be start testing CVE (Black Box) whit some tools like nuclei or nmap (--script vulners).

No, you don’t jump straight to vuln scanning without having done recon.

[cyspad]

Dear @kingthorin I completely agree with you But please consider this, in some cases, it only sees the type of web server or technology in the fingerprint You should not be careless in these cases and you should start testing the black box or scanning

[cyspad]

im ready for add or edit about this topic

[cyspad]

i have question Test for Race Condition can be add in WSTG?

[kingthorin]

1. Yes this should be added, as part of an existing section. I’ll get back to you once I look around.
2. I believe there’s already an open issue for Race Conditions.

[cyspad]

1. Yes this should be added, as part of an existing section. I’ll get back to you once I look around.

   2. I believe there’s already an open issue for Race Conditions.

ok i open a issue for rece condtion and for Test for Outdated and Unsupported Components Issue i waiting for your Decision

[cyspad]

Hello can you assign to me ?

[cyspad]

Thanks, which one of the sections should be updates?

[kingthorin]

Hey @cyspad sorry I haven’t been able to get back to this. I’ll try to get you an answer later today or tomorrow.

[cyspad]

Thank you very much.

[cyspad]

Dear @kingthorin Any update?

[kingthorin]

Sorry, it’s still sitting in my inbox. Some stuff has just gotten in my way.

[cyspad]

Sorry, it’s still sitting in my inbox. Some stuff has just gotten in my way.

ok thanks.

[kingthorin]

I believe this could be covered briefly as objectives of WSTG-INFO-08. It's already covered as part of the objective for WSTG-INFO-02.