April 28, 2017

Checking NuGet Packages for Security Vulnerabilities

Another quick post on scanning projects for vulnerabilities using a quick and easy tool. End of the day, these are super quick wins for a security audit as you can identify packages that either need to be removed or should be updated to a newer version. Lame? Maybe. However, these are the small problems that can be chained with a worse vulnerability to lead to a potential critical vulnerability. I personally try my best to never lose sight of the low-hanging fruit (aka never forget the low severity issues, they matter too!).

So, let's get into the actual interesting part of this post. I'm going to outline a scenario for when using this workflow might make sense, but this likely isn't the ONLY situation when this workflow will be useful.

The Scenario

You've been asked to do a security review of a new .NET web project. You've been given the source code, and you're expected to get a security review done ASAP. One of the easiest wins is to check whether the packages being used contain known vulnerabilities. If so, that's sure as hell a finding!

Technical Details

In general, most .NET projects (C#, Visual C++, ASP.NET, etc) use Nuget to handle external dependency management. Simply put, Nuget is like PIP for Python, SBT for Scala, NPM for NodeJS, and the list goes on. Like all package management systems, there's absolutely no auto-updating of dependencies because THAT MIGHT BREAK THE BUILD. So, how do we audit the external dependencies of a .NET project? Let me introduce you to DevAudit.

DevAudit offers a TON of options, but I specifically use it to audit Nuget packages for .NET applications. You're highly encouraged to check out the other features of DevAudit, but for the purpose of this post, I will be focusing on the Nuget audit features.

Auditing a Project

NOTE: For once, I will be making a huge assumption you are using Powershell on a newer version of Windows. DevAudit, in my tests, runs best on Windows. You can get it to work on Linux, but you will need to figure out .NET Core shenanigans which has arguably gotten easier as of lately.

Grab the latest version of DevAudit from their releases section of Github. Open up your trusty Powershell console, and run the following command.

That little snippet will add the DevAudit directory to your Powershell path so it's less painful to run the program. Using Powershell, navigate into your project's directory and locate the Packages.config file. This is the file that contains the list of Nuget packages used in the project and the version used. This also happens to be the file DevAudit needs to audit the project. Be sure to be in the same directory as the Packages.config file.

Now simply run, devaudit.exe nuget . -- I've included some sample output from a random project I pulled off Github.

That simple. The report is color-coded, but Github Gists can't capture that. Sorry. Overall, I found this tool to be incredibly easy to use and provided incredibly helpful output for a recent assessment. Hopefully someone else benefits from using this tool.

Suggestions, comments? Post 'em below!


  1. Thanks for sharing valuable information. Your blogs were helpful to Dot NET learners. I
    request to update the blog through step-by-step. Also, find the Dot net news at Dot NET Online Training Bangalore

    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. keep up the good work. this is an Assam post. this to helpful, i have reading here all post. i am impressed. thank you. this is our digital marketing training center.

    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery


The S3 Bucket Problem - The Latest Vuln to Become Popular

Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...