Skip to content

CWE-477: Use of Obsolete Functions

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected observable behavior suggesting the application uses obsolete or deprecated functions with known security issues. Evidence includes error messages or stack traces revealing deprecated API calls, HTTP response headers indicating outdated framework versions, or timing/behavior patterns consistent with legacy functions. While primarily a static analysis concern, dynamic scanners may infer this from version fingerprinting or error disclosure.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-477 typically indicate runtime behavior that suggests reliance on deprecated or obsolete functionality, such as:

  • Use of legacy cryptographic primitives
  • Deprecated protocol behavior
  • Responses consistent with outdated libraries or APIs

DAST does not directly identify obsolete functions; these findings indicate a likely implementation issue that must be confirmed in code.

Mapping DAST Findings to Source Code

CWE-477 does not map to a specific HTTP endpoint or request parameter. The issue resides in application code that invokes deprecated or obsolete APIs.

When tracing this issue in code, look for:

  • Calls to deprecated language or framework functions
  • Legacy cryptographic or encoding APIs
  • APIs marked as unsafe or removed in current documentation
  • Compatibility layers enabling obsolete behavior

Remediation

Core Principle: Never rely on deprecated or obsolete APIs for security-relevant behavior; application design must restrict implementation to supported, maintained functions with known security properties.

→ For comprehensive remediation guidance, see Static CWE-477 Guidance

Verification and Follow-Up Testing

After applying the fix:

Verify Implementation Changes

  • Confirm deprecated or obsolete functions have been removed
  • Verify replacement APIs are supported and maintained

Validate Runtime Behavior

  • Ensure application behavior reflects the updated implementation
  • Confirm no legacy behavior remains enabled

Re-run DAST Scanner

Re-run the dynamic scanner to confirm the original behavioral indicators are no longer present.

Additional Resources