top 10 OWASP vulnerabilities such XSS, XXE and injections will usually eventually evolve into a component with known vulnerabilities if the component that is being built is re-used. This might not be as obvious as the examples give above, it can be as obfuscated using a JQuery library with a known XSS issue in it but then not using the affected functionality. Later on though, we might decide to add functionality that does rely on the vulnerable code but we might forget to update our JQuery component. This can also be classified as both XSS and using a component with known vulnerabilities.
In short, finding these vulnerabilities should ideally be automated but one should never overlook the importance of a manual audit every now and again. As for hackers themselves, I always recommend we judge our impact extremely carefully and that we do not report any vulnerability like this in bug bounties until impact is clear. For pentesters it is always advised to at least report these issues as informative but ideally they should be exploited further if possible and at least investigated carefully.
Watch the video:
Subscribe for the latest news