Burp community forum

Detection of outdated components

Harald | Last updated: Jun 20, 2018 06:15PM UTC

Dear all, How can I know if a specific component is outdated and will be detected or not by BurpSuite? In specific I had a complaint from a customer, we did not detect that primefaces 5.x is vulnerable (CVE-2017-1000486).In burp-log I can see primefaces 5.x was in an server response. Does Retire.js help here? Best regards and thanks in advance.

PortSwigger Agent | Last updated: Jun 21, 2018 10:13AM UTC

Hi Harald, Thanks for your message. This is not something that core Burp does; the Scanner focuses on detecting novel application flaws such as SQL injection. Many security firms use a separate scanning tool for this purpose, such as Nessus. There are also a couple of extensions: Retire.JS that you mention and Software Vulnerability Scanner. Please let us know if you need any further assistance.

Burp User | Last updated: Aug 13, 2018 11:01AM UTC

For vulnerable components assessment, OWASP dependency check is an opensource scanner which might be helpful in this case. https://www.owasp.org/index.php/OWASP_Dependency_Check

You need to Log in to post a reply. Or register here, for free.