3rd party libraries can become critical components of in-house developed applications, while the benefits to using them is huge, there is also some risks to consider. In this blog post we'll look at a common 3rd party component of many web applications, Dojo Toolkit. After noticing it was included during a recent web application penetration test, it became clear that the version incorporated within the application was vulnerable, and ultimately exposed the entire application to attack.
Documented VulnerabilitiesDojo has reported some serious security issues in the past such as XSS, DOM-Based XSS, and URL Redirection so its important to stay up to date with the latest version if you leverage it within your application.
Vulnerable version: Dojo 0.4 through Dojo 1.4
Latest Version: Dojo 1.9.3
Reference: http://dojotoolkit.org/ , http://dojotoolkit.org/features/mobile
Files with known vulnerabilities
Prior attack strings
- dojox/av/FLAudio.js (allowScriptAccess:"always”)
- dojox/av/FLVideo.js (allowScriptAccess:"always”) and etc.
If you use Dojo, make sure you have an updated version installed or remove these files (if not needed) from the application's directories.