Document Type : Research Article


1 Department of Information Technology, College of Computer, Qassim University, Buraydah, Saudi Arabia

2 Computers and Control Engineering Deptartment, Faculty of Engineering, Tanta University, Tanta, Egypt.


The Open Web Application Security Project (OWASP) is a nonprofit organization battling for the improvements of software protection and enhancing the security of web applications. Moreover, its goal is to make application security “accessible” so that individuals and organizations can make educated decisions about security threats. The OWASP is a repository of tools and standards for web security study. OWASP released an annual listing of the top 10 most common vulnerabilities on the web in 2013 and 2017. This research paper proposed a comprehensive study on Components with known vulnerabilities attack, which is ninth attack (A9) among the top 10 vulnerabilities. Components with known vulnerabilities are the third-party components that focal system uses as authentication frameworks. Depending on the vulnerability it could range from subtle to seriously bad. This danger arises because the app’s modules, like libraries and frameworks, are almost always run with the highest privileges. If a compromised aspect is abused, the hacker’s task of causing significant loss of information or server takeover is easier.


[1] Akbar Iskandar, Muhammad Resa Fahlepi Tuasamu, Suryadi Syamsu, M Mansyur, Tri Listyorini, Sulfikar Sallu, S Supriyono, Kundharu Saddhono, Darmawan Napitupulu, and Robbi Rahim. Web based testing application security system using semantic comparison method. In IOP Conference Series: Materials Science and Engineering, volume 420, page 012122. IOP Publishing, 2018.
[2] Sangeeta Nagpure and Sonal Kurkure. Vulnerability assessment and penetration testing of web application. In 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA), pages 1–6. IEEE, 2017.
[3] A Muller, M Meucci, E Keary, D Cuthbert, et al.Owasp testing guide 4.0. Maryland (USA): The OWASP Foundation, 4:165–166, 2014.
[4] OWASP. Owasp top 10 no. 9 using components with known vulnerabilities, 2021. Accessed 18 February 2022.
[5] Vincent C Hu, Michaela Iorga, Wei Bao, Ang Li,Qinghua Li, Antonios Gouglidis, et al. General access control guidance for cloud systems. NIST Special Publication, 800(210):50–2ex, 2020.
[6] Jasper van Vliet. Direct and indirect loss of natural area from urban expansion. Nature Sustainability, 2(8):755–763, 2019.
[7] Narayanan Anantharaman and Bharati Wukkadada. Identifying the usage of known vulnerabilities components based on owasp a9. In 2020 International Conference on Emerging Smart Computing and Informatics (ESCI), pages 88–91. IEEE, 2020.
[8] Philip Sarrel, David Portman, Patrick Lefebvre, Marie-H´el`ene Lafeuille, Amanda Melina Grittner, Jonathan Fortier, Jonathan Gravel, Mei Sheng Duh, and Peter M Aupperle. Incremental direct and indirect costs of untreated vasomotor
symptoms. Menopause, 22(3):260–266, 2015.
[9] Tony B Amos, Neeta Tandon, Patrick Lefebvre, Dominic Pilon, Rhiannon L Kamstra, Irina Pivneva, and Paul E Greenberg. Direct and indirect cost burden and change of employment status in treatment-resistant depression: a matched-cohort study using a us commercial claims database. The Journal of clinical psychiatry, 79(2):5360, 2018.
[10] Flora Angeletaki, Andreas Gkogkos, Efstratios Papazoglou, and Dimitrios Kloukos. Direct versus indirect inlay/onlay composite restorations in posterior teeth. a systematic review and metaanalysis. Journal of dentistry, 53:12–21, 2016.
[11] VS Kumar. Ethical hacking and penetration testing strategies. International Journal of Emerging Technology in Computer Science & Electronics(IJETCSE), 11(2):0976–1353, 2014.
[12] Te-Shun Chou. Security threats on cloud computing vulnerabilities. AIRCC’s International Journal of Computer Science and Information Technology, 5(3):79–88, 2013.
[13] Gary Wassermann and Zhendong Su. Static detection of cross-site scripting vulnerabilities. In 2008 ACM/IEEE 30th International Conference on Software Engineering, pages 171–180. IEEE, 2008.
[14] OWASP. Top 10–2017 a9-using components with known vulnerabilities, 2021. Accessed 18 February 2022.
[15] Dimitris E Simos, Jovan Zivanovic, and Manuel Leithner. Automated combinatorial testing for detecting sql vulnerabilities in web applications. In 2019 IEEE/ACM 14th International Workshop on Automation of Software Test (AST), pages 55–61. IEEE, 2019.
[16] Kannan Balasubramanian. Web application vulnerabilities and their countermeasures. In Cryptographic Solutions for Secure Online Banking and Commerce, pages 209–239. IGI Global, 2016.
[17] SE Idrissi, N Berbiche, F Guerouate, and M Shibi. Performance evaluation of web application security scanners for prevention and protection against vulnerabilities. International Journal of Applied Engineering Research, 12(21):11068–
11076, 2017.
[18] Tomohisa Ishikawa and Kouichi Sakurai. Parameter manipulation attack prevention and detection by using web application deception proxy. In Proceedings of the 11th International Conference on Ubiquitous Information Management
and Communication, pages 1–9, 2017.
[19] Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. Preventing cross site request forgery attacks. In 2006 Securecomm and Workshops, pages 1–10. IEEE, 2006.
[20] Henrik Plate, Serena Elisa Ponta, and Antonino Sabetta. Impact assessment for vulnerabilities in open-source software libraries. In 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 411–420.IEEE, 2015.
[21] Muhammad Noman, Muhammad Iqbal, and Amir Manzoor. A survey on detection and prevention of web vulnerabilities. International Journal of Advanced Computer Science and Applications, 11(6):521–540, 2020.
[22] Emil Semastin, Sami Azam, Bharanidharan Shanmugam, Krishnan Kannoorpatti, Mirjam Jonokman, Ganthan Narayana Samy, and Sundresan Perumal. Preventive measures for cross site request forgery attacks on web-based applications. International Journal of Engineering and Technology (UAE), 2018.
[23] S Shalini and S Usha. Prevention of cross-site scripting attacks (xss) on web applications in the client side. International Journal of Computer Science Issues (IJCSI), 8(4):650, 2011.
[24] OWASP. Owasp press release, 2021. Accessed 18 February 2022.
[25] OWASP. Clm press release, 2021. Accessed 18 February 2022.
[26] OWASP. Sonatype’s owasp a9 blog post, 2021. Accessed 18 February 2022.
[27] Timothy Casey, Patrick Koeberl, and Claire Vishik. Defining threat agents: Towards a more complete threat analysis. In ISSE 2010 Securing Electronic Business Processes, pages 214–225. Springer, 2011.
[28] Raymond AJ Brown and Peter D Renshaw. Collective argumentation: A sociocultural approach to reframing classroom teaching and learning. 2000.
[29] Oludele Awodele, Ernest Enyinnaya Onuiri, and Samuel O Okolie. Vulnerabilities in network infrastructures and prevention/contain sures. In Proceedings of Informing Science & IT Education Conference (InSITE), 2012.