├── .gitignore ├── .travis.yml ├── BappDescription.html ├── BappManifest.bmf ├── DEPLOYMENT.md ├── LICENSE ├── README.md ├── libs └── zap-2.4.3.jar ├── pom.xml ├── retirejs-burp-plugin ├── pom.xml └── src │ ├── main │ ├── java │ │ └── burp │ │ │ ├── BurpExtender.java │ │ │ ├── BurpUpstreamDownloader.java │ │ │ ├── HttpUtil.java │ │ │ └── vuln │ │ │ ├── MockHttpRequestResponse.java │ │ │ ├── VulnerableLibraryIssue.java │ │ │ └── VulnerableLibraryIssueBuilder.java │ └── resources │ │ └── burp │ │ └── vuln │ │ └── description.html │ └── test │ └── java │ └── burp │ └── vuln │ └── TemplateTester.java ├── retirejs-core ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── h3xstream │ │ │ └── retirejs │ │ │ ├── repo │ │ │ ├── JsLibrary.java │ │ │ ├── JsLibraryResult.java │ │ │ ├── JsVulnerability.java │ │ │ ├── ScannerFacade.java │ │ │ ├── VulnerabilitiesRepository.java │ │ │ ├── VulnerabilitiesRepositoryLoader.java │ │ │ └── dl │ │ │ │ ├── DefaultDownloader.java │ │ │ │ └── Downloader.java │ │ │ ├── util │ │ │ ├── CompareVersionUtil.java │ │ │ ├── HashUtil.java │ │ │ └── RegexUtil.java │ │ │ └── vuln │ │ │ ├── DescriptionModel.java │ │ │ └── TemplateBuilder.java │ └── resources │ │ └── retirejs_repository.json │ └── test │ ├── java │ └── com │ │ └── h3xstream │ │ └── retirejs │ │ ├── repo │ │ ├── PrettyDisplay.java │ │ ├── ScannerFacadeTest.java │ │ ├── VulnerabilitiesRepositoryLoaderManualTest.java │ │ ├── VulnerabilitiesRepositoryLoaderTest.java │ │ ├── VulnerabilitiesRepositorySearchByContentTest.java │ │ ├── VulnerabilitiesRepositorySearchByFilenameTest.java │ │ ├── VulnerabilitiesRepositorySearchByHashTest.java │ │ └── VulnerabilitiesRepositorySearchByUriTest.java │ │ ├── util │ │ ├── CompareVersionUtilTest.java │ │ ├── RegexUtilReplaceVersionTest.java │ │ └── RegexUtilTest.java │ │ └── vuln │ │ └── TemplateBuilderTest.java │ └── resources │ ├── basic_template.txt │ ├── js │ ├── angular.safe.js │ ├── dojo-1.4.1.js │ ├── ember.js │ ├── jquery-1.6.2.js │ └── jquery-ui-1.6rc6-customized.js │ └── retirejs_repository_test.json ├── retirejs-maven-plugin ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── h3xstream │ └── retirejs │ ├── MavenDownloader.java │ └── RetireJsScan.java ├── retirejs-zap-plugin ├── pom.xml └── src │ └── main │ ├── java │ └── org │ │ └── zaproxy │ │ └── zap │ │ └── extension │ │ └── retirejs │ │ ├── RetireJsScannerPlugin.java │ │ └── ZapIssueCreator.java │ ├── resources-filtered │ └── ZapAddOn.xml │ └── resources │ └── org │ └── zaproxy │ └── zap │ └── extension │ └── retirejs │ ├── Messages.properties │ ├── description.txt │ └── other_info.txt └── test-samples ├── angular.safe.js ├── external.html ├── http_server.py ├── jquery-1.6.2.js ├── jquery-ui-1.6rc6-customized.js └── v1.3.0 └── ember.js /.gitignore: -------------------------------------------------------------------------------- 1 | #Eclipse 2 | .classpath 3 | .project 4 | test-output 5 | .settings 6 | 7 | #IntelliJ 8 | *.iml 9 | *.ipr 10 | *.iws 11 | .idea/ 12 | 13 | #Gradle 14 | .gradle 15 | 16 | #Build directories 17 | bin/ 18 | build/ 19 | target/ -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: java 2 | #install: mvn install:install-file -Dfile=libs/zap-2.4.3.jar -DgroupId=org.zaproxy -DartifactId=zaproxy -Dversion=2.4.3 -Dpackaging=jar 3 | jdk: 4 | - openjdk8 5 | - openjdk9 6 | - openjdk10 7 | - openjdk11 8 | -------------------------------------------------------------------------------- /BappDescription.html: -------------------------------------------------------------------------------- 1 |

This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries.

2 |

It passively looks at JavaScript files loaded and identifies those which are vulnerable based on various signature types (URL, filename, file content or specific hash).

3 | -------------------------------------------------------------------------------- /BappManifest.bmf: -------------------------------------------------------------------------------- 1 | Uuid: 36238b534a78494db9bf2d03f112265c 2 | ExtensionType: 1 3 | Name: Retire.js 4 | RepoName: retire-js 5 | ScreenVersion: 2.1.1 6 | SerialVersion: 6 7 | MinPlatformVersion: 0 8 | ProOnly: True 9 | Author: Philippe Arteau 10 | ShortDescription: Integrates with the Retire.js repository to find vulnerable JavaScript libraries. 11 | EntryPoint: retirejs-burp-plugin/target/burp-retire-js-2.jar 12 | BuildCommand: mvn package -DskipTests=true -Dmaven.javadoc.skip=true -B -Pburp-only 13 | -------------------------------------------------------------------------------- /DEPLOYMENT.md: -------------------------------------------------------------------------------- 1 | # Burp 2 | 3 | Contact : [support@portswigger.net](mailto:support@portswigger.net) 4 | 5 | ``` 6 | Subject: RetireJs plugin updated 7 | 8 | Hi, 9 | The plugin RetireJs was updated. 10 | 11 | [...] 12 | 13 | The plugin can be recompiled from the source : 14 | https://github.com/h3xstream/burp-retire-js 15 | 16 | $ git clone ... 17 | $ mvn clean install -Pburp-only 18 | 19 | That's it let me know if you have question. 20 | ``` 21 | 22 | # Maven 23 | 24 | Normal build 25 | ``` 26 | mvn clean install 27 | ``` 28 | 29 | Release 30 | ``` 31 | mvn versions:set -DnewVersion=3.0.1 32 | mvn clean source:jar javadoc:jar package deploy -P!bigjar,signjars,all-modules 33 | ``` 34 | 35 | - https://oss.sonatype.org/ 36 | - http://central.sonatype.org/pages/ossrh-guide.html -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Retire.js (Burp plugin) [![Build Status](https://travis-ci.org/h3xstream/burp-retire-js.svg)](https://travis-ci.org/h3xstream/burp-retire-js) 2 | 3 | [Burp](http://portswigger.net/burp/) / [ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) extension that integrate [Retire.js](https://github.com/bekk/retire.js) repository to find vulnerable JavaScript libraries. It passively look at JavaScript files loaded and identify those vulnerable based on various signature types (URL, filename, file content or specific hash). 4 | 5 | ## License 6 | 7 | This software is release under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0). 8 | 9 | ## Downloads 10 | 11 | Last updated : December 10th, 2019 12 | 13 | Burp Suite plugin : [Download](https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/releases/burp/burp-retire-js-3.0.2.jar) (also available on the [BApp Store](https://pro.portswigger.net/bappstore/ShowBappDetails.aspx?uuid=36238b534a78494db9bf2d03f112265c)) 14 | 15 | ZAP plugin : [Download](https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/releases/zap/retirejs-alpha-3.0.2.zap) 16 | 17 | 18 | -------------------------- 19 | 20 | ## Burp plugin 21 | 22 | ![Retire.js Burp plugin](https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/screenshots/screenshot_burp_plugin.png) 23 | 24 | ![Retire.js Burp plugin](https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/screenshots/screenshot_burp_plugin_animate.gif) 25 | 26 | 27 | ## ZAP plugin 28 | 29 | ![Retire.js ZAP plugin](https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/screenshots/screenshot_zap_plugin.png) 30 | 31 | ## Maven plugin [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.h3xstream.retirejs/retirejs-maven-plugin/badge.svg)](http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22com.h3xstream.retirejs%22%20a%3A%22retirejs-maven-plugin%22) 32 | 33 | Run the Maven plugin with the goal `scan`: 34 | 35 | $ cd myproject 36 | $ mvn com.h3xstream.retirejs:retirejs-maven-plugin:scan 37 | [...] 38 | [INFO] --- retirejs-maven-plugin:1.0.0-SNAPSHOT:scan (default-cli) @ myproject --- 39 | [WARNING] jquery.js contains a vulnerable JavaScript library. 40 | [INFO] Path: C:\Code\myproject\src\main\webapp\js\jquery.js 41 | [INFO] jquery version 1.8.1 is vulnerable. 42 | [INFO] + http://bugs.jquery.com/ticket/11290 43 | [INFO] + http://research.insecurelabs.org/jquery/test/ 44 | [...] 45 | 46 | The additional parameter `-DretireJsBreakOnFailure` can be use to break the build when at least one vulnerability is found. 47 | 48 | [INFO] ------------------------------------------------------------------------ 49 | [INFO] BUILD FAILURE 50 | [INFO] ------------------------------------------------------------------------ 51 | [INFO] Total time: 1.450 s 52 | [INFO] Finished at: 2015-02-19T13:37:00-05:00 53 | [INFO] Final Memory: 11M/245M 54 | [INFO] ------------------------------------------------------------------------ 55 | [ERROR] Failed to execute goal com.h3xstream.retirejs:retirejs-maven-plugin:1.0.0:scan (default-cli) on project 56 | my-web-app: 6 known vulnerabilities were identified in the JavaScript librairies. -> [Help 1] 57 | [ERROR] 58 | 59 | ### Run the Maven plugin as part of your build 60 | 61 | Use the following configuration to run the Maven plugin as part of your build. Only one `` may be specified at a time. 62 | To scan / iterate earlier in your build cycle, you can bind the plugin to the `validate` phase. 63 | 64 | ```xml 65 | 66 | com.h3xstream.retirejs 67 | retirejs-maven-plugin 68 | 3.0.1 69 | 70 | https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json 71 | 72 | 73 | 74 | 75 | scanProjectJavascript 76 | 77 | scan 78 | 79 | install 80 | 81 | 82 | 83 | ``` 84 | -------------------------------------------------------------------------------- /libs/zap-2.4.3.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h3xstream/burp-retire-js/bd06f7d9f6802b02c693947f67814eb711ac3378/libs/zap-2.4.3.jar -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 4.0.0 6 | 7 | com.h3xstream.retirejs 8 | retirejs-root-pom 9 | 3.0.3 10 | 11 | pom 12 | 13 | Retire.JS proxy scanner (root pom.xml) 14 | The root pom file aggregate the dependencies use by the Retire.js extensions. 15 | 16 | 17 | 18 | all-modules 19 | 20 | true 21 | 22 | 23 | retirejs-core 24 | retirejs-burp-plugin 25 | retirejs-zap-plugin 26 | retirejs-maven-plugin 27 | 28 | 29 | 30 | 31 | burp-only 32 | 33 | false 34 | 35 | 36 | retirejs-core 37 | retirejs-burp-plugin 38 | 39 | 40 | 41 | 42 | signjars 43 | 44 | false 45 | 46 | 47 | 48 | 49 | org.apache.maven.plugins 50 | maven-gpg-plugin 51 | 1.6 52 | 53 | 54 | sign-artifacts 55 | verify 56 | 57 | sign 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | UTF-8 70 | UTF-8 71 | false 72 | none 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | maven-assembly-plugin 81 | 3.1.0 82 | 83 | 84 | 85 | maven-dependency-plugin 86 | 3.1.1 87 | 88 | 89 | 90 | maven-release-plugin 91 | 2.5.3 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | maven-clean-plugin 101 | 3.1.0 102 | 103 | 104 | 105 | 106 | maven-compiler-plugin 107 | 3.7.0 108 | 109 | 1.7 110 | 1.7 111 | 112 | 113 | 114 | 115 | maven-deploy-plugin 116 | 2.8.2 117 | 118 | 119 | 120 | maven-install-plugin 121 | 2.5.2 122 | 123 | 124 | 125 | maven-site-plugin 126 | 3.7.1 127 | 128 | 129 | 130 | org.apache.maven.plugins 131 | maven-javadoc-plugin 132 | 3.0.1 133 | 134 | -Xdoclint:none 135 | 136 | 137 | foo 138 | bar 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | net.portswigger.burp.extender 153 | burp-extender-api 154 | 2.1 155 | provided 156 | 157 | 158 | 159 | 160 | 161 | com.h3xstream.retirejs 162 | retirejs-core 163 | ${project.version} 164 | 165 | 166 | 167 | 168 | 169 | com.esotericsoftware 170 | minlog 171 | 1.3.1 172 | 173 | 174 | 175 | 176 | com.github.spullara.mustache.java 177 | compiler 178 | 0.9.6 179 | 180 | 181 | 182 | 183 | 184 | com.vaadin.external.google 185 | android-json 186 | 0.0.20131108.vaadin1 187 | 188 | 189 | 190 | 191 | 192 | org.zaproxy 193 | zap 194 | 196 | 2.8.0 197 | provided 198 | 199 | 200 | 201 | net.htmlparser.jericho 202 | jericho-html 203 | 3.4 204 | provided 205 | 206 | 207 | 208 | commons-httpclient 209 | commons-httpclient 210 | 3.1 211 | provided 212 | 213 | 214 | 215 | commons-configuration 216 | commons-configuration 217 | 1.10 218 | provided 219 | 220 | 221 | 222 | 223 | 224 | org.apache.logging.log4j 225 | log4j-core 226 | 2.17.1 227 | provided 228 | 229 | 230 | 231 | 232 | 233 | org.testng 234 | testng 235 | 7.5.1 236 | test 237 | 238 | 239 | 240 | commons-io 241 | commons-io 242 | 2.7 243 | 244 | 245 | 246 | org.mockito 247 | mockito-all 248 | 1.10.19 249 | test 250 | 251 | 252 | 253 | 255 | 256 | org.apache.maven 257 | maven-plugin-api 258 | 2.2.1 259 | 260 | 261 | 262 | org.apache.maven 263 | maven-core 264 | 2.2.1 265 | 266 | 267 | 268 | 269 | 270 | 271 | ${basedir}/target/site 272 | 273 | 274 | org.codehaus.mojo 275 | versions-maven-plugin 276 | 2.5 277 | 278 | 279 | 280 | dependency-updates-report 281 | plugin-updates-report 282 | property-updates-report 283 | 284 | 285 | 286 | 287 | 288 | 289 | org.apache.maven.plugins 290 | maven-project-info-reports-plugin 291 | 2.9 292 | 293 | 294 | 295 | org.owasp 296 | dependency-check-maven 297 | 3.3.4 298 | 299 | 300 | 301 | aggregate 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 313 | 314 | https://github.com/h3xstream/burp-retire-js 315 | 316 | 317 | 318 | The Apache Software License, Version 2.0 319 | http://www.apache.org/licenses/LICENSE-2.0.txt 320 | repo 321 | 322 | 323 | 324 | 325 | 326 | scm:git:https://github.com/h3xstream/burp-retire-js.git 327 | scm:git:git@github.com:h3xstream/burp-retire-js.git 328 | git@github.com:h3xstream/burp-retire-js.git 329 | 330 | 331 | 332 | 333 | h3xstream 334 | Philippe Arteau 335 | https://github.com/h3xstream 336 | 337 | 338 | 339 | 340 | 341 | sonatype-nexus-staging 342 | Sonatype staging repository 343 | https://oss.sonatype.org/service/local/staging/deploy/maven2/ 344 | 345 | 346 | 347 | sonatype-nexus-snapshots 348 | Sonatype snapshot repository 349 | https://oss.sonatype.org/content/repositories/snapshots/ 350 | 351 | 352 | 353 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | com.h3xstream.retirejs 8 | retirejs-root-pom 9 | 3.0.3 10 | 11 | 12 | 4.0.0 13 | 14 | com.h3xstream.retirejs 15 | retirejs-burp-plugin 16 | 17 | RetireJS (Burp plugin) 18 | 19 | 20 | 21 | bigjar 22 | 23 | true 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | maven-assembly-plugin 32 | 33 | 34 | jar-with-dependencies 35 | package 36 | 37 | single 38 | 39 | 40 | 41 | jar-with-dependencies 42 | 43 | burp-retire-js-3 44 | false 45 | 46 | false 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | net.portswigger.burp.extender 61 | burp-extender-api 62 | provided 63 | 64 | 65 | 66 | com.h3xstream.retirejs 67 | retirejs-core 68 | 69 | 70 | 71 | 72 | org.testng 73 | testng 74 | test 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import burp.vuln.VulnerableLibraryIssue; 4 | import burp.vuln.VulnerableLibraryIssueBuilder; 5 | import com.esotericsoftware.minlog.Log; 6 | import com.h3xstream.retirejs.repo.JsLibraryResult; 7 | import com.h3xstream.retirejs.repo.ScannerFacade; 8 | import com.h3xstream.retirejs.repo.VulnerabilitiesRepositoryLoader; 9 | 10 | import java.io.IOException; 11 | import java.io.PrintWriter; 12 | import java.util.ArrayList; 13 | import java.util.List; 14 | import org.json.JSONException; 15 | 16 | public class BurpExtender implements IBurpExtender, IScannerCheck { 17 | 18 | 19 | private IBurpExtenderCallbacks callbacks; 20 | private IExtensionHelpers helpers; 21 | private static BurpExtender extender; 22 | 23 | 24 | public static BurpExtender getInstance() { 25 | return extender; 26 | } 27 | 28 | public IExtensionHelpers getHelpers() { 29 | return this.callbacks.getHelpers(); 30 | } 31 | 32 | @Override 33 | public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) { 34 | 35 | this.callbacks = callbacks; 36 | BurpExtender.extender = this; 37 | this.helpers = callbacks.getHelpers(); 38 | this.callbacks.setExtensionName("Retire.js"); 39 | 40 | PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 41 | stdout.println("== Retire.js plugin =="); 42 | stdout.println("Passive scan rules to detect vulnerable Javascript libraries"); 43 | stdout.println(" - Github : https://github.com/h3xstream/burp-retire-js"); 44 | stdout.println(""); 45 | stdout.println("== License =="); 46 | stdout.println("Retire.js repository is release under Apache License v2."); 47 | stdout.println("Retire.js Burp plugin is release under LGPL."); 48 | stdout.println(""); 49 | 50 | Log.setLogger(new Log.Logger(){ 51 | @Override 52 | protected void print (String message) { 53 | try { 54 | if(message.contains("ERROR:")) { //Not the most elegant way, but should be effective. 55 | callbacks.issueAlert(message); 56 | } 57 | callbacks.getStdout().write(message.getBytes()); 58 | callbacks.getStdout().write('\n'); 59 | } catch (IOException e) { 60 | System.err.println("Error while printing the log : "+e.getMessage()); //Very unlikely 61 | } 62 | } 63 | }); 64 | Log.INFO(); 65 | 66 | try { 67 | ScannerFacade.loadInstance(new VulnerabilitiesRepositoryLoader().load(VulnerabilitiesRepositoryLoader.REPO_URL,new BurpUpstreamDownloader(this.callbacks))); 68 | } catch (IOException | JSONException e) { 69 | Log.error("ERROR: Problem occurs while preloading the RetireJS vulnerabilities",e); 70 | } 71 | 72 | callbacks.registerScannerCheck(this); 73 | 74 | //Not fully implemented (the passive scan rule is sufficient) 75 | //callbacks.registerMessageEditorTabFactory(this); 76 | 77 | stdout.println("Retire.js plugin loaded"); 78 | } 79 | 80 | 81 | @Override 82 | public List doPassiveScan(IHttpRequestResponse requestResponse) { 83 | List issues = new ArrayList(); 84 | 85 | byte[] respBytes = requestResponse.getResponse(); 86 | 87 | IResponseInfo responseInfo = helpers.analyzeResponse(respBytes); 88 | IRequestInfo requestInfo = helpers.analyzeRequest(requestResponse.getHttpService(), requestResponse.getRequest()); 89 | 90 | String path = HttpUtil.getPathRequested(requestInfo); 91 | String contentType = HttpUtil.getContentType(responseInfo); 92 | 93 | try { 94 | //Avoid NPE 95 | boolean jsContentType = contentType != null ? contentType.indexOf("javascript") != -1 : false; 96 | 97 | int bodyOffset = responseInfo.getBodyOffset(); 98 | if (jsContentType || path.endsWith(".js")) { 99 | 100 | //The big analysis is spawn here.. 101 | Log.debug("Analyzing "+path+" (body="+(respBytes.length-bodyOffset)+" bytes)"); 102 | issues = scanJavaScript(respBytes, bodyOffset, path, requestResponse, requestInfo); 103 | } 104 | else if (contentType.indexOf("html") != -1 105 | || path.endsWith(".htm") //Some additional condition just in case the content-type is bogus 106 | || path.endsWith(".html") 107 | || path.endsWith(".aspx") 108 | || path.endsWith(".asp") 109 | || path.endsWith(".php") 110 | || path.endsWith(".jsp")) { 111 | 112 | issues = scanHtmlPage(respBytes, bodyOffset, path, requestResponse, requestInfo); 113 | } 114 | } catch (Exception e) { 115 | Log.error("Exception while scanning the script '"+path+"' (" + e.getClass().getName() + ": "+ e.getMessage()+")"); 116 | } 117 | return issues; 118 | } 119 | 120 | @Override 121 | public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 122 | return new ArrayList(); 123 | } 124 | 125 | @Override 126 | public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { 127 | boolean bothRetireJsIssue = existingIssue instanceof VulnerableLibraryIssue && newIssue instanceof VulnerableLibraryIssue; 128 | 129 | if(bothRetireJsIssue) { 130 | VulnerableLibraryIssue issue1 = (VulnerableLibraryIssue) existingIssue; 131 | VulnerableLibraryIssue issue2 = (VulnerableLibraryIssue) newIssue; 132 | return issue1.equals(issue2) ? -1: 0; 133 | } 134 | 135 | return -1; //Unknown 136 | } 137 | 138 | private List scanJavaScript(byte[] respBytes, int offset, String scriptName, IHttpRequestResponse resp, IRequestInfo requestInfo) throws IOException, JSONException { 139 | 140 | List res = ScannerFacade.getInstance().scanScript(scriptName, respBytes, offset); 141 | 142 | Log.debug(String.format("%d vulnerability(ies) for the script '%s'.",res.size(),scriptName)); 143 | 144 | if(res.size() > 0) { //Transform the list of vulnerability Issue that can be display in Burp Scanner result. 145 | return VulnerableLibraryIssueBuilder.convert(res, resp.getHttpService(), resp, requestInfo); 146 | } 147 | 148 | return new ArrayList(); //Nothing was found 149 | } 150 | 151 | private List scanHtmlPage(byte[] respBytes, int offset, String scriptName, IHttpRequestResponse resp, IRequestInfo requestInfo) throws IOException, JSONException { 152 | 153 | List res = ScannerFacade.getInstance().scanHtml(respBytes,offset); 154 | 155 | Log.debug(String.format("%d vulnerability(ies) for the HTML page '%s'.",res.size(),scriptName)); 156 | 157 | if(res.size() > 0) { //Transform the list of vulnerability Issue that can be display in Burp Scanner result. 158 | return VulnerableLibraryIssueBuilder.convert(res, resp.getHttpService(), resp, requestInfo); 159 | } 160 | 161 | return new ArrayList(); //Nothing was found 162 | } 163 | 164 | } 165 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/BurpUpstreamDownloader.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import com.h3xstream.retirejs.repo.dl.Downloader; 4 | 5 | import java.io.File; 6 | import java.io.FileOutputStream; 7 | import java.io.PrintWriter; 8 | import java.net.URL; 9 | 10 | public class BurpUpstreamDownloader implements Downloader { 11 | 12 | private final IBurpExtenderCallbacks callbacks; 13 | public BurpUpstreamDownloader(IBurpExtenderCallbacks callbacks) { 14 | this.callbacks = callbacks; 15 | } 16 | 17 | /** 18 | * This implementation use the upstream proxy from Burp with callbacks.makeHttpRequest() 19 | * (Ref: http://blog.portswigger.net/2018/01/your-recipe-for-bapp-store-success.html) 20 | * 21 | * @param url 22 | * @param file 23 | * @throws Exception 24 | */ 25 | @Override 26 | public void downloadUrlToFile(String url, File file) throws Exception { 27 | URL urlQuery = new URL(url); 28 | 29 | IExtensionHelpers helpers = callbacks.getHelpers(); 30 | 31 | byte[] request = helpers.buildHttpRequest(urlQuery); 32 | int port = urlQuery.getPort() != -1 ? urlQuery.getPort() : (urlQuery.getProtocol().equals("https") ? 443 : 80); 33 | IHttpService service = helpers.buildHttpService(urlQuery.getHost(), port, urlQuery.getProtocol()); 34 | IHttpRequestResponse resp = callbacks.makeHttpRequest(service, request); 35 | 36 | IResponseInfo respInfo = helpers.analyzeResponse(resp.getResponse()); 37 | String content = new String(resp.getResponse(),respInfo.getBodyOffset(),resp.getResponse().length-respInfo.getBodyOffset()); 38 | 39 | try(PrintWriter writer = new PrintWriter(new FileOutputStream(file))) { 40 | writer.print(content); 41 | writer.flush(); 42 | } 43 | 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/HttpUtil.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | 4 | public class HttpUtil { 5 | 6 | /** 7 | * 8 | * @param responseInfo 9 | * @return 10 | */ 11 | public static String getContentType(IResponseInfo responseInfo) { 12 | for (String header : responseInfo.getHeaders()) { 13 | if (header.toLowerCase().startsWith("content-type: ")) { 14 | return header.substring(14); 15 | } 16 | } 17 | return ""; 18 | } 19 | 20 | 21 | /** 22 | * Extract the path from the first header. 23 | * 24 | * Input expected : 25 | * - GET /index.html HTTP/1.1 26 | * - POST /index.html HTTP/1.1 27 | * 28 | * @param request 29 | * @return 30 | */ 31 | public static String getPathRequested(IRequestInfo request) { 32 | String h = request.getHeaders().get(0); 33 | return h.substring(h.indexOf(" ") + 1, h.lastIndexOf(" ")); 34 | } 35 | 36 | public static String getFileRequested(IRequestInfo request) { 37 | String path = getPathRequested(request); 38 | int lastSlash = path.lastIndexOf('/'); 39 | if(lastSlash < 0) lastSlash = 0; 40 | return path.substring(lastSlash+1); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/vuln/MockHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp.vuln; 2 | 3 | import burp.BurpExtender; 4 | import burp.IHttpRequestResponse; 5 | import burp.IHttpRequestResponseWithMarkers; 6 | import burp.IHttpService; 7 | 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | import java.util.regex.Matcher; 11 | import java.util.regex.Pattern; 12 | 13 | public class MockHttpRequestResponse implements IHttpRequestResponseWithMarkers { 14 | 15 | IHttpRequestResponse actual; 16 | List requestMarkers = new ArrayList(); 17 | List responseMarkers = new ArrayList(); 18 | 19 | MockHttpRequestResponse(IHttpRequestResponse actual, String regexRequest, String regexResponse) { 20 | 21 | if(regexRequest != null) { 22 | byte[] requestBytes = actual.getRequest(); 23 | addMarkers(requestBytes, requestMarkers, regexRequest); 24 | } 25 | 26 | if(regexResponse != null) { 27 | byte[] responseBytes = actual.getResponse(); 28 | addMarkers(responseBytes, responseMarkers, regexResponse); 29 | } 30 | 31 | this.actual = actual; 32 | } 33 | 34 | private void addMarkers(byte[] content, List markers, String... regexValues) { 35 | if(regexValues != null) 36 | for(String value : regexValues) { 37 | if(value == null) continue; 38 | int[] position = indexFromRegex(value, content); 39 | if(position != null) { 40 | markers.add(position); 41 | } 42 | } 43 | } 44 | 45 | @Override 46 | public byte[] getRequest() { 47 | return actual.getRequest(); 48 | } 49 | 50 | @Override 51 | public void setRequest(byte[] message) { 52 | actual.setRequest(message); 53 | } 54 | 55 | @Override 56 | public byte[] getResponse() { 57 | return actual.getResponse(); 58 | } 59 | 60 | @Override 61 | public void setResponse(byte[] message) { 62 | actual.setResponse(message); 63 | } 64 | 65 | @Override 66 | public String getComment() { 67 | return actual.getComment(); 68 | } 69 | 70 | @Override 71 | public void setComment(String comment) { 72 | actual.setComment(comment); 73 | } 74 | 75 | @Override 76 | public String getHighlight() { 77 | return "http"; 78 | } 79 | 80 | @Override 81 | public void setHighlight(String color) { 82 | actual.setHighlight(color); 83 | } 84 | 85 | @Override 86 | public IHttpService getHttpService() { 87 | return actual.getHttpService(); 88 | } 89 | 90 | @Override 91 | public void setHttpService(IHttpService httpService) { 92 | actual.setHttpService(httpService); 93 | } 94 | 95 | @Override 96 | public List getRequestMarkers() { 97 | return requestMarkers; 98 | } 99 | 100 | @Override 101 | public List getResponseMarkers() { 102 | return responseMarkers; 103 | } 104 | 105 | 106 | public int[] indexFromRegex(String regex, byte[] content) { 107 | //NOTE : Regex are not intend to work on byte array. This will work on most JavaScript files except those with Unicode 108 | Pattern pattern = Pattern.compile(regex); 109 | Matcher m = pattern.matcher(BurpExtender.getInstance().getHelpers().bytesToString(content)); 110 | 111 | while (m.find()) { 112 | return new int[] {m.start(), m.end()}; 113 | } 114 | return null; 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/vuln/VulnerableLibraryIssue.java: -------------------------------------------------------------------------------- 1 | package burp.vuln; 2 | 3 | import burp.IHttpRequestResponse; 4 | import burp.IHttpService; 5 | import burp.IScanIssue; 6 | import com.esotericsoftware.minlog.Log; 7 | 8 | import java.net.URL; 9 | 10 | public class VulnerableLibraryIssue implements IScanIssue { 11 | 12 | private IHttpService httpService; 13 | private URL url; 14 | private IHttpRequestResponse httpMessage; 15 | private String name; 16 | private String detail; 17 | private String severity; 18 | private String confidence; 19 | 20 | private String libName; 21 | private String path; 22 | 23 | public VulnerableLibraryIssue(IHttpService httpService, URL url, IHttpRequestResponse httpMessage, String name, // 24 | String detail, String severity,String confidence, String libName, String path) { 25 | this.url = url; 26 | this.name = name; 27 | this.detail = detail; 28 | this.severity = severity; 29 | this.httpService = httpService; 30 | this.httpMessage = httpMessage; 31 | this.confidence = confidence; 32 | 33 | this.libName = libName; 34 | this.path = path; 35 | } 36 | 37 | @Override 38 | public URL getUrl() { 39 | return url; 40 | } 41 | 42 | @Override 43 | public String getIssueName() { 44 | return name; 45 | } 46 | 47 | @Override 48 | public int getIssueType() { 49 | return 0; 50 | } 51 | 52 | @Override 53 | public String getSeverity() { 54 | return severity; 55 | } 56 | 57 | @Override 58 | public String getConfidence() { 59 | return confidence; 60 | } 61 | 62 | @Override 63 | public String getIssueBackground() { 64 | return null; 65 | } 66 | 67 | @Override 68 | public String getRemediationBackground() { 69 | return null; 70 | } 71 | 72 | @Override 73 | public String getIssueDetail() { 74 | return detail; 75 | } 76 | 77 | @Override 78 | public String getRemediationDetail() { 79 | return null; 80 | } 81 | 82 | @Override 83 | public IHttpRequestResponse[] getHttpMessages() { 84 | return new IHttpRequestResponse[] {httpMessage}; 85 | } 86 | 87 | @Override 88 | public IHttpService getHttpService() { 89 | return httpService; 90 | } 91 | 92 | @Override 93 | public boolean equals(Object obj) { 94 | if(obj instanceof VulnerableLibraryIssue) { 95 | VulnerableLibraryIssue issue = (VulnerableLibraryIssue)obj; 96 | //Log.debug("libName: "+issue.libName + " == " + this.libName+" ? " + issue.libName.equals(this.libName)); 97 | //Log.debug("path : "+issue.path + " == " + this.path+" ? " + issue.path.equals(this.path)); 98 | return issue.libName.equals(this.libName) && issue.path.equals(this.path); 99 | } 100 | return false; 101 | } 102 | } 103 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/java/burp/vuln/VulnerableLibraryIssueBuilder.java: -------------------------------------------------------------------------------- 1 | package burp.vuln; 2 | 3 | import burp.*; 4 | import com.esotericsoftware.minlog.Log; 5 | import com.h3xstream.retirejs.repo.JsLibraryResult; 6 | import com.h3xstream.retirejs.vuln.TemplateBuilder; 7 | 8 | import java.io.*; 9 | import java.util.ArrayList; 10 | import java.util.List; 11 | 12 | public class VulnerableLibraryIssueBuilder { 13 | 14 | private static final String TITLE = "Vulnerable version of the library '%s' found"; 15 | private static final String TEMPLATE_DESC = "/burp/vuln/description.html"; 16 | 17 | public static List convert(List librariesFound, IHttpService httpService, IHttpRequestResponse reqResp, IRequestInfo requestInfo) { 18 | List issues = new ArrayList(); 19 | for(JsLibraryResult lib : librariesFound) { 20 | 21 | 22 | //Title summary 23 | String path = HttpUtil.getPathRequested(requestInfo); 24 | String filename = HttpUtil.getFileRequested(requestInfo); 25 | 26 | String libraryName = lib.getLibrary().getName(); 27 | String title = String.format(TITLE,libraryName); 28 | 29 | // 30 | String description = TemplateBuilder.buildDescription(TEMPLATE_DESC,libraryName, lib.getDetectedVersion(), //Library detected 31 | lib.getVuln().getInfo(), //List of the URLs 32 | lib.getVuln().getAtOrAbove(), lib.getVuln().getBelow()); //Indicator of the affected versions 33 | 34 | issues.add(new VulnerableLibraryIssue(httpService, 35 | requestInfo.getUrl(), //URL to map the issue to a request (source of the issue) 36 | new MockHttpRequestResponse(reqResp,lib.getRegexRequest(), 37 | lib.getRegexResponse() == null ? lib.getRegexRequest(): lib.getRegexResponse()), 38 | title, //Title of the issue 39 | description, //HTML description 40 | mapToBurpSeverity(lib.getVuln().getSeverity()), //Severity .. Could be high, but the risk can never be confirm automatically.. 41 | "Tentative", //The library is old for sure .. if the app is vulnerable, not so sure.. 42 | 43 | libraryName, //The two last info are used to differentiate the vuln. 44 | path 45 | )); 46 | } 47 | 48 | Log.debug(issues.size() + " issues raised for the script " + HttpUtil.getPathRequested(requestInfo)); 49 | return issues; 50 | } 51 | 52 | private static String mapToBurpSeverity(String severity) { 53 | if(severity.equals("info")) { 54 | return "Information"; 55 | } 56 | else if(severity.equals("high") || severity.equals("medium") || severity.equals("low")) { 57 | //First character to upper for "High", "Medium", "Low" 58 | //See : burp.IScanIssue.getSeverity() 59 | return Character.toUpperCase(severity.charAt(0))+severity.substring(1); 60 | } 61 | return "Medium"; //In case the value is invalid, the default will be Medium 62 | } 63 | 64 | 65 | } 66 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/main/resources/burp/vuln/description.html: -------------------------------------------------------------------------------- 1 | 2 |

3 | The library {{detectedLibrary}} version {{detectedVersion}} has known security issues.
4 | For more information, visit those websites: 5 |

6 | 7 |
    8 | {{#links}} 9 |
  • {{.}}
    • 10 | {{/links}} 11 |
12 | 13 | Affected versions
14 |

15 | The vulnerability is affecting all versions prior {{belowVersion}} (between {{aboveVersion}} and {{belowVersion}}) 16 |

17 | Other considerations
18 |

19 | The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive. 20 |

21 |

22 | The library name and its version are identified based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply. 23 |

24 | -------------------------------------------------------------------------------- /retirejs-burp-plugin/src/test/java/burp/vuln/TemplateTester.java: -------------------------------------------------------------------------------- 1 | package burp.vuln; 2 | 3 | import com.github.mustachejava.DefaultMustacheFactory; 4 | import com.github.mustachejava.Mustache; 5 | import com.github.mustachejava.MustacheFactory; 6 | import com.h3xstream.retirejs.vuln.DescriptionModel; 7 | import com.h3xstream.retirejs.vuln.TemplateBuilder; 8 | import org.testng.annotations.Test; 9 | 10 | import java.io.*; 11 | import java.util.Arrays; 12 | import java.util.List; 13 | 14 | import static org.testng.Assert.assertTrue; 15 | 16 | public class TemplateTester { 17 | 18 | @Test 19 | public void testTemplateFile() throws IOException { 20 | List urls = Arrays.asList("http://blog.h3xstream.com", "https://csrf.me/"); 21 | String result= TemplateBuilder.buildDescription("/burp/vuln/description.html", "yolo.js", "1.3.3.7", urls, "1.0.0.0", "1.3.3.8"); 22 | System.out.println(result); 23 | 24 | assertTrue(result.contains("yolo.js"), "Missing library name"); 25 | assertTrue(result.contains("1.3.3.7"), "Missing library version"); 26 | 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /retirejs-core/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | com.h3xstream.retirejs 8 | retirejs-root-pom 9 | 3.0.3 10 | 11 | 12 | 4.0.0 13 | 14 | com.h3xstream.retirejs 15 | retirejs-core 16 | 17 | 18 | 19 | 20 | com.vaadin.external.google 21 | android-json 22 | 23 | 24 | 25 | com.esotericsoftware 26 | minlog 27 | 28 | 29 | 30 | 31 | com.github.spullara.mustache.java 32 | compiler 33 | 34 | 35 | 36 | org.testng 37 | testng 38 | test 39 | 40 | 41 | 42 | commons-io 43 | commons-io 44 | test 45 | 46 | 47 | 48 | org.mockito 49 | mockito-all 50 | test 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/JsLibrary.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | import java.util.Map; 6 | 7 | public class JsLibrary { 8 | 9 | private String name; 10 | private final List vulnerabilities; 11 | private List uris; 12 | private List filename; 13 | private Map hashes; 14 | private List fileContents; 15 | private List functions; 16 | 17 | public JsLibrary() { 18 | vulnerabilities = new ArrayList(); 19 | } 20 | 21 | public String getName() { 22 | return name; 23 | } 24 | 25 | public void setName(String name) { 26 | this.name = name; 27 | } 28 | 29 | public List getVulnerabilities() { 30 | return vulnerabilities; 31 | } 32 | 33 | 34 | public List getUris() { 35 | return uris; 36 | } 37 | 38 | public void setUris(List uris) { 39 | this.uris = uris; 40 | } 41 | 42 | public List getFilename() { 43 | return filename; 44 | } 45 | 46 | public void setFilename(List filename) { 47 | this.filename = filename; 48 | } 49 | 50 | public Map getHashes() { 51 | return hashes; 52 | } 53 | 54 | public void setHashes(Map hashes) { 55 | this.hashes = hashes; 56 | } 57 | 58 | public List getFileContents() { 59 | return fileContents; 60 | } 61 | 62 | public void setFileContents(List fileContents) { 63 | this.fileContents = fileContents; 64 | } 65 | 66 | public List getFunctions() { 67 | return functions; 68 | } 69 | 70 | public void setFunctions(List functions) { 71 | this.functions = functions; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/JsLibraryResult.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | public class JsLibraryResult { 4 | private JsLibrary library; 5 | private JsVulnerability vuln; 6 | 7 | private String detectedVersion; 8 | private String regexRequest; 9 | private String regexResponse; 10 | 11 | public JsLibraryResult(JsLibrary library, JsVulnerability vuln, String detectedVersion, String regexRequest, String regexResponse) { 12 | this.library = library; 13 | this.vuln = vuln; 14 | this.detectedVersion = detectedVersion; 15 | this.regexRequest = regexRequest; 16 | this.regexResponse = regexResponse; 17 | } 18 | 19 | public JsLibrary getLibrary() { 20 | return library; 21 | } 22 | 23 | public void setLibrary(JsLibrary library) { 24 | this.library = library; 25 | } 26 | 27 | public JsVulnerability getVuln() { 28 | return vuln; 29 | } 30 | 31 | public void setVuln(JsVulnerability vuln) { 32 | this.vuln = vuln; 33 | } 34 | 35 | public String getDetectedVersion() { 36 | return detectedVersion; 37 | } 38 | 39 | public void setDetectedVersion(String detectedVersion) { 40 | this.detectedVersion = detectedVersion; 41 | } 42 | 43 | public String getRegexRequest() { 44 | return regexRequest; 45 | } 46 | 47 | public void setRegexRequest(String regexRequest) { 48 | this.regexRequest = regexRequest; 49 | } 50 | 51 | public String getRegexResponse() { 52 | return regexResponse; 53 | } 54 | 55 | public void setRegexResponse(String regexResponse) { 56 | this.regexResponse = regexResponse; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/JsVulnerability.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import java.util.List; 4 | import java.util.Map; 5 | 6 | public class JsVulnerability { 7 | private final String atOrAbove; 8 | private final String below; 9 | private final List info; 10 | private final Map> identifiers; 11 | private final String severity; 12 | 13 | public JsVulnerability(String atOrAbove,String below,List info,Map> identifiers, 14 | String severity) { 15 | this.atOrAbove = atOrAbove; 16 | this.below = below; 17 | this.info = info; 18 | this.identifiers = identifiers; 19 | this.severity = severity; 20 | } 21 | 22 | public String getAtOrAbove() { 23 | return atOrAbove; 24 | } 25 | 26 | public String getBelow() { 27 | return below; 28 | } 29 | 30 | public List getInfo() { 31 | return info; 32 | } 33 | 34 | public Map> getIdentifiers() { 35 | return identifiers; 36 | } 37 | 38 | public String getSeverity() { 39 | return severity; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.h3xstream.retirejs.util.HashUtil; 5 | 6 | import java.io.IOException; 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | import java.util.regex.Matcher; 10 | import java.util.regex.Pattern; 11 | import org.json.JSONException; 12 | 13 | public class ScannerFacade { 14 | private VulnerabilitiesRepository repo; 15 | private static ScannerFacade instance; //Singleton instance 16 | 17 | private ScannerFacade() throws IOException, JSONException { 18 | this.repo = new VulnerabilitiesRepositoryLoader().load(); 19 | } 20 | 21 | /** 22 | * For testing purpose only 23 | * @param repo Mock repository (For testing purpose) 24 | * @throws IOException Unable to load the repository 25 | */ 26 | public ScannerFacade(VulnerabilitiesRepository repo) throws IOException { 27 | this.repo = repo; 28 | } 29 | 30 | /** 31 | * Obtain the singleton instance. It make sure the repo is loaded the first time. 32 | * @return Will always return the same instance 33 | * @throws IOException Unable to load the repository 34 | */ 35 | public static ScannerFacade getInstance() throws IOException, JSONException { 36 | if(instance == null) { 37 | instance = new ScannerFacade(); 38 | } 39 | return instance; 40 | } 41 | 42 | public static ScannerFacade loadInstance(VulnerabilitiesRepository repo) throws IOException { 43 | if(instance == null) { 44 | instance = new ScannerFacade(repo); 45 | } 46 | return instance; 47 | } 48 | 49 | /** 50 | * Look for potential script in the HTML code <script src="//cdn.server.com/jquery/1.3.3.7.js"></script> 51 | * @param respBytes Content of the JavaScript file (exclude HTTP headers) 52 | * @param offset The body of the response starts at this offset 53 | * @return The list of vulnerable libraries 54 | */ 55 | public List scanHtml(byte[] respBytes, int offset) { 56 | String contentString = new String(respBytes,offset,respBytes.length-offset); 57 | List res = new ArrayList(); 58 | for(String url : findScriptUrl(contentString)) { 59 | res.addAll(scanPath(url)); 60 | } 61 | return res; 62 | } 63 | 64 | private List findScriptUrl(String source) { 65 | String[] tokens = source.split(" urls = new ArrayList(); 68 | 69 | for(String line : tokens) { 70 | if(line.contains("]*" + //script tags 72 | "[sS][rR][cC]=" + //src attribute 73 | "[\"']([^>]*)[\"']"); //URL between quotes 74 | Matcher m = p.matcher(line); 75 | if(m.find()) { 76 | String urlScript = m.group(1); 77 | urls.add(urlScript); 78 | } 79 | } 80 | } 81 | 82 | return urls; 83 | } 84 | 85 | 86 | /** 87 | * Analyze a script with only its path is available. 88 | * For example a path in a HTML pages. 89 | * @param path File path (ie: /js/jquery/jquery-1.3.3.7.js) 90 | * @return The list of vulnerable libraries 91 | */ 92 | public List scanPath(String path) { 93 | return scanScript(path,"".getBytes(),0); 94 | } 95 | 96 | /** 97 | * Analyze script with the JavaScript file is loaded. 98 | * The path has been extracted from the request URI. 99 | * And the response is the content of the file. 100 | * 101 | * @param path File path (ie: /js/jquery/jquery-1.3.3.7.js) 102 | * @param respBytes Content of the JavaScript file (exclude HTTP headers) 103 | * @param offset The body of the response starts at this offset 104 | * @return The list of vulnerable libraries 105 | */ 106 | public List scanScript(String path,byte[] respBytes,int offset) { 107 | 108 | //1. Search by URI (path + file name) 109 | List res = repo.findByUri(path); 110 | 111 | if(res.size() == 0) { //2. Search by file name 112 | Log.debug(String.format("No path matching the script (%s)",path)); 113 | String filename = getFilename(path); 114 | res = repo.findByFilename(filename); 115 | 116 | if(res.size() == 0) { //3. Compare the hash with known hash 117 | Log.debug(String.format("No filename matching the script (%s)",filename)); 118 | String hash = HashUtil.hashSha1(respBytes, offset); 119 | res = repo.findByHash(hash); 120 | 121 | if(res.size() == 0) { //4. Look for specific string in the content 122 | Log.debug(String.format("No hash matching %s (%s)", hash, path)); 123 | 124 | String contentString = new String(respBytes,offset,respBytes.length-offset); 125 | res = repo.findByFileContent(contentString); 126 | 127 | if(res.size() == 0) { //5. Evaluation the script in a sandbox 128 | Log.debug(String.format("No content matching the script \"%s\"",path)); 129 | 130 | /* 131 | res = repo.findByFunction(contentString); 132 | */ 133 | } 134 | } 135 | } 136 | } 137 | 138 | return res; 139 | } 140 | 141 | private static String getFilename(String path) { 142 | int lastSlash = path.lastIndexOf('/'); 143 | if(lastSlash < 0) lastSlash = 0; 144 | return path.substring(lastSlash+1); 145 | } 146 | } 147 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepository.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.h3xstream.retirejs.util.CompareVersionUtil; 5 | import com.h3xstream.retirejs.util.RegexUtil; 6 | 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | import java.util.regex.Pattern; 10 | 11 | /** 12 | * Class that hold the definition of all the libraries. 13 | */ 14 | public class VulnerabilitiesRepository { 15 | 16 | protected List jsLibrares = new ArrayList(); 17 | 18 | public void addLibrary(JsLibrary lib) { 19 | jsLibrares.add(lib); 20 | } 21 | 22 | /** 23 | * This search mode will identify the vulnerable library base on the full uri. 24 | * @param uri URI taken from a HTTP request 25 | * @return The list of vulnerable libraries found 26 | */ 27 | public List findByUri(String uri) { 28 | Log.debug("Analysing URI: \""+uri+"\""); 29 | List res = new ArrayList(); 30 | 31 | long before = System.currentTimeMillis(); 32 | 33 | libLoop: for(JsLibrary lib : jsLibrares) { 34 | //Log.debug(lib.getName() +" has "+lib.getUris()+" URIs"); 35 | if(lib.getUris()== null) { 36 | //Log.warn("The library "+lib.getName()+" doesn't have uri regex ?!!"); 37 | continue; 38 | } 39 | for(String uriRegex : lib.getUris()) { 40 | 41 | //Extract version 42 | Pattern p = Pattern.compile(uriRegex); 43 | String version = RegexUtil.simpleMatch(p,uri); 44 | 45 | if(version != null) { //Pattern match 46 | Log.debug("Pattern match \""+uriRegex+"\" !"); 47 | Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); 48 | 49 | findVersionVulnerable(lib,version,res,uriRegex,null); 50 | continue libLoop; 51 | } 52 | } 53 | } 54 | 55 | long delta = System.currentTimeMillis()-before; 56 | Log.debug("It took ~"+(int)(delta/1000.0)+" sec. ("+delta+" ms) to scan"); 57 | return res; 58 | } 59 | 60 | /** 61 | * This search mode will identify the library by there filename. (official distribution filename) 62 | * @param filename Filename taken from an URI 63 | * @return The list of vulnerable libraries found 64 | */ 65 | public List findByFilename(String filename) { 66 | Log.debug("Analysing filename: \""+filename+"\""); 67 | 68 | long before = System.currentTimeMillis(); 69 | 70 | List res = new ArrayList(); 71 | libLoop: for(JsLibrary lib : jsLibrares) { 72 | if(lib.getFilename()== null) { 73 | continue; 74 | } 75 | for(String filenameRegex : lib.getFilename()) { 76 | 77 | //Extract version 78 | Pattern p = Pattern.compile(filenameRegex); 79 | String version = RegexUtil.simpleMatch(p,filename); 80 | 81 | if(version != null) { //Pattern match 82 | Log.debug("Pattern match \""+filenameRegex+"\" !"); 83 | Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); 84 | 85 | 86 | findVersionVulnerable(lib,version,res,filenameRegex,null); 87 | continue libLoop; 88 | } 89 | } 90 | } 91 | 92 | 93 | long delta = System.currentTimeMillis()-before; 94 | Log.debug("It took ~"+(int)(delta/1000.0)+" sec. ("+delta+" ms) to scan"); 95 | return res; 96 | } 97 | 98 | /** 99 | * This search mode will look for literal string specific to the vulnerable libraries. 100 | * @param scriptContent Complete content of the script 101 | * @return The list of vulnerable libraries found 102 | */ 103 | public List findByFileContent(String scriptContent) { 104 | String scriptStart = scriptContent.substring(0,Math.min(20,scriptContent.length())).replace("\n",""); 105 | Log.debug("Analysing the content: \""+scriptStart+"[..]\""); 106 | 107 | long before = System.currentTimeMillis(); 108 | 109 | List res = new ArrayList(); 110 | libLoop: for(JsLibrary lib : jsLibrares) { 111 | if(lib.getFileContents()== null) { 112 | continue; 113 | } 114 | for(String contentRegex : lib.getFileContents()) { 115 | 116 | String version = extractVersion(scriptContent, contentRegex); 117 | 118 | if(version != null) { //Pattern match 119 | Log.debug("Pattern match \""+contentRegex+"\" !"); 120 | Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); 121 | 122 | findVersionVulnerable(lib,version,res,null,contentRegex); 123 | continue libLoop; 124 | } 125 | } 126 | } 127 | 128 | long delta = System.currentTimeMillis()-before; 129 | Log.debug("It took ~"+ (int)(delta/1000.0) +" sec. (" + delta + " ms) to scan"); 130 | return res; 131 | } 132 | 133 | private String extractVersion(String scriptContent, String contentRegex) { 134 | try { 135 | Pattern p = Pattern.compile(contentRegex); 136 | String version = RegexUtil.simpleMatch(p,scriptContent); 137 | return version; 138 | } 139 | catch (Exception any) { 140 | Log.warn(String.format("Unable to extract version using regex '%s'", contentRegex)); 141 | return null; 142 | } 143 | } 144 | 145 | 146 | /** 147 | * 148 | * @param hash Hash of the file to search 149 | * @return The list of vulnerable libraries found 150 | */ 151 | public List findByHash(String hash) { 152 | List res = new ArrayList(); 153 | for(JsLibrary lib : jsLibrares) { 154 | if(lib.getHashes()== null) { 155 | continue; 156 | } 157 | String version = lib.getHashes().get(hash); 158 | 159 | if(version != null) { //Pattern match 160 | Log.debug("Hash found \""+hash+"\" !"); 161 | Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); 162 | 163 | findVersionVulnerable(lib,version,res,null,null); 164 | return res; //Only one hash can match the file 165 | } 166 | } 167 | return res; 168 | } 169 | 170 | /** 171 | * This search mode will load the script in a sandbox and look for the presence of specific function. 172 | * 173 | * NOT IMPLEMENTED 174 | * 175 | * @param scriptContent Complete content of the script 176 | * @return The list of vulnerable libraries found 177 | */ 178 | public List findByFunction(String scriptContent) { 179 | return new ArrayList(); 180 | } 181 | 182 | 183 | private void findVersionVulnerable(JsLibrary lib,String version,List resultsFound,String regexRequest,String regexResponse) { 184 | //Look for vulnerability affecting this specific version.. 185 | for(JsVulnerability vuln : lib.getVulnerabilities()) { 186 | if(CompareVersionUtil.isUnder(version,vuln.getBelow())) { 187 | 188 | if(vuln.getAtOrAbove() == null || 189 | CompareVersionUtil.atOrAbove(version,vuln.getAtOrAbove())) { 190 | 191 | Log.info(String.format("Vulnerability found: %s below %s", lib.getName(), vuln.getBelow())); 192 | resultsFound.add(new JsLibraryResult(lib,vuln,version,regexRequest,regexResponse)); 193 | } 194 | } 195 | } 196 | } 197 | } 198 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositoryLoader.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.h3xstream.retirejs.repo.dl.DefaultDownloader; 5 | import com.h3xstream.retirejs.repo.dl.Downloader; 6 | import com.h3xstream.retirejs.util.RegexUtil; 7 | import org.json.JSONArray; 8 | import org.json.JSONObject; 9 | 10 | import java.io.File; 11 | import java.io.FileInputStream; 12 | import java.io.IOException; 13 | import java.io.InputStream; 14 | import java.net.URL; 15 | import java.net.URLConnection; 16 | import java.net.UnknownHostException; 17 | import java.util.*; 18 | import org.json.JSONException; 19 | 20 | public class VulnerabilitiesRepositoryLoader { 21 | 22 | /** 23 | * This switch will be need for the test case. 24 | */ 25 | public static boolean syncWithOnlineRepository = true; 26 | public static boolean cachedDownloadRepository = true; 27 | 28 | /** 29 | * The default repository URL 30 | */ 31 | public static final String REPO_URL = "https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json"; 32 | 33 | public VulnerabilitiesRepository load(String url) throws IOException, JSONException { 34 | return load(url, new DefaultDownloader()); 35 | } 36 | 37 | public VulnerabilitiesRepository load(String url, Downloader dl) throws IOException, JSONException { 38 | if (url == null || url.length() == 0) { 39 | throw new IllegalArgumentException("url is null or empty"); 40 | } 41 | 42 | String homeDir = System.getProperty("user.home"); 43 | File cacheDir = new File(homeDir, ".retirejs"); 44 | File retireJsRepoFile = new File(cacheDir, "jsrepository.json"); 45 | 46 | if (syncWithOnlineRepository) { //Remote repository 47 | 48 | if(cachedDownloadRepository) { 49 | 50 | if(!cacheDir.exists()) { 51 | Log.info("Creating Retire.js cache directory "+cacheDir.getCanonicalPath()); 52 | cacheDir.mkdir(); 53 | } 54 | } 55 | 56 | // 57 | try { 58 | 59 | if(cacheDir.exists()) { 60 | Log.info("Caching Retire.js latest repository"); 61 | dl.downloadUrlToFile(url, retireJsRepoFile); 62 | Log.info("Loading the latest Retire.js repository"); 63 | return loadFromInputStream(new FileInputStream(retireJsRepoFile)); 64 | } 65 | else { //Permission limitation doesn't allow the creation of the cache directory ??! 66 | URL remoteRepo = new URL(url); 67 | URLConnection conn = remoteRepo.openConnection(); 68 | conn.connect(); 69 | InputStream inputStream = conn.getInputStream(); 70 | 71 | Log.info("Loading the latest Retire.js repository (not cache)"); 72 | return loadFromInputStream(inputStream); 73 | } 74 | } catch (UnknownHostException exception) { 75 | Log.error("Exception while loading the repository (Most likely unable to access the internet) " + 76 | exception.getClass().getName() + ": " + exception.getMessage()); 77 | } catch (IOException exception) { //If an problem occurs with the online file, the local repository is used. 78 | Log.error("Exception while loading the repository (Connection problem while loading latest repository from " 79 | + url + ") " + 80 | exception.getClass().getName() + ": " + exception.getMessage()); 81 | } catch (Exception e) { 82 | Log.error("Exception while loading the repository (Unable to access GitHub ?) " + 83 | e.getClass().getName() + ": " + e.getMessage()); 84 | //e.printStackTrace(); 85 | } 86 | } 87 | 88 | if(syncWithOnlineRepository && cachedDownloadRepository && retireJsRepoFile.exists()) { 89 | Log.info("Loading the local cached Retire.js repository (old version)"); 90 | return loadFromInputStream(new FileInputStream(retireJsRepoFile)); 91 | } 92 | 93 | //Local version of the repository 94 | Log.info("Loading the bundle Retire.js repository (old version)"); 95 | InputStream inputStream = getClass().getResourceAsStream("/retirejs_repository.json"); 96 | return loadFromInputStream(inputStream); 97 | } 98 | 99 | public VulnerabilitiesRepository load() throws IOException, JSONException { 100 | return load(REPO_URL); 101 | } 102 | 103 | public VulnerabilitiesRepository loadFromInputStream(InputStream in) throws IOException, JSONException { 104 | JSONObject rootJson = new JSONObject(convertStreamToString(in)); 105 | 106 | 107 | VulnerabilitiesRepository repo = new VulnerabilitiesRepository(); 108 | 109 | int nbLoaded = 0; 110 | 111 | Iterator it = rootJson.keys(); //Iterate on each library jquery, YUI, prototypejs, ... 112 | while (it.hasNext()) { 113 | String key = (String) it.next(); 114 | JSONObject libJson = rootJson.getJSONObject(key); 115 | 116 | JsLibrary lib = new JsLibrary(); 117 | 118 | if (libJson.has("vulnerabilities")) { 119 | JSONArray vulnerabilities = libJson.getJSONArray("vulnerabilities"); 120 | 121 | lib.setName(key); 122 | //Log.debug("Building the library " + key); 123 | 124 | for (int i = 0; i < vulnerabilities.length(); i++) { //Build Vulnerabilities list 125 | JSONObject vuln = vulnerabilities.getJSONObject(i); 126 | String atOrAbove = vuln.has("atOrAbove") ? vuln.getString("atOrAbove") : null; //Optional field 127 | String below = vuln.getString("below"); 128 | List info = objToStringList(vuln.get("info"), false); 129 | Map> identifiers = vuln.has("identifiers") ? 130 | objToStringMapMultiValues(vuln.get("identifiers")) : 131 | new HashMap>(); 132 | String severity = vuln.has("severity") ? vuln.getString("severity") : "medium"; 133 | lib.getVulnerabilities().add(new JsVulnerability(atOrAbove, below, info,identifiers,severity)); 134 | } 135 | } 136 | if (libJson.has("extractors")) { 137 | JSONObject extractor = libJson.getJSONObject("extractors"); 138 | //Imports various lists 139 | if (extractor.has("func")) 140 | lib.setFunctions(objToStringList(extractor.get("func"), false)); 141 | if (extractor.has("filename")) 142 | lib.setFilename(objToStringList(extractor.get("filename"), true)); 143 | if (extractor.has("filecontent")) 144 | lib.setFileContents(objToStringList(extractor.get("filecontent"), true)); 145 | if (extractor.has("hashes")) 146 | lib.setHashes(objToStringMap(extractor.get("hashes"))); 147 | if (extractor.has("uri")) 148 | lib.setUris(objToStringList(extractor.get("uri"), true)); 149 | } 150 | //Once all the information have been collected, the library is ready to be cache. 151 | 152 | repo.addLibrary(lib); 153 | nbLoaded++; 154 | //System.out.println(libJson.toString()); 155 | } 156 | Log.debug(nbLoaded + " loaded library."); 157 | return repo; 158 | } 159 | 160 | ///Convertion utility methods 161 | 162 | public List objToStringList(Object obj, boolean replaceVersionWildcard) throws JSONException { 163 | JSONArray array = (JSONArray) obj; 164 | List strArray = new ArrayList(array.length()); 165 | for (int i = 0; i < array.length(); i++) { //Build Vulnerabilities list 166 | 167 | if (replaceVersionWildcard) { 168 | strArray.add(RegexUtil.replaceVersion(array.getString(i))); 169 | } else { 170 | strArray.add(array.getString(i)); 171 | } 172 | } 173 | return strArray; 174 | } 175 | 176 | public Map objToStringMap(Object obj) throws JSONException { 177 | Map finalMap = new HashMap(); 178 | 179 | JSONObject jsonObj = (JSONObject) obj; 180 | Iterator it = jsonObj.keys(); 181 | while (it.hasNext()) { 182 | String key = (String) it.next(); 183 | 184 | finalMap.put(key, jsonObj.getString(key)); 185 | } 186 | return finalMap; 187 | } 188 | 189 | public Map> objToStringMapMultiValues(Object obj) throws JSONException { 190 | Map> finalMap = new HashMap>(); 191 | 192 | JSONObject jsonObj = (JSONObject) obj; 193 | Iterator it = jsonObj.keys(); 194 | while (it.hasNext()) { 195 | String key = (String) it.next(); 196 | 197 | JSONArray valuesArray = jsonObj.optJSONArray(key); 198 | if(valuesArray == null) { 199 | finalMap.put(key, Arrays.asList(jsonObj.getString(key))); 200 | } 201 | else { 202 | finalMap.put(key, objToStringList(valuesArray,false)); 203 | } 204 | } 205 | return finalMap; 206 | } 207 | 208 | static String convertStreamToString(InputStream is) { 209 | try { 210 | Scanner s = new Scanner(is, "UTF-8").useDelimiter("\\A"); 211 | return s.hasNext() ? s.next() : ""; 212 | } finally { 213 | try { 214 | is.close(); 215 | } catch (IOException e) { 216 | } 217 | } 218 | } 219 | 220 | 221 | 222 | 223 | } 224 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/dl/DefaultDownloader.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo.dl; 2 | 3 | import java.io.File; 4 | import java.io.FileOutputStream; 5 | import java.io.IOException; 6 | import java.io.InputStream; 7 | import java.net.MalformedURLException; 8 | import java.net.URL; 9 | import java.net.URLConnection; 10 | 11 | public class DefaultDownloader implements Downloader { 12 | 13 | 14 | @Override 15 | public void downloadUrlToFile(String url, File file) throws IOException { 16 | URL remoteRepo = new URL(url); 17 | URLConnection conn = remoteRepo.openConnection(); 18 | conn.connect(); 19 | InputStream in = conn.getInputStream(); 20 | 21 | try(FileOutputStream out = new FileOutputStream(file)) { 22 | byte buffer[] = new byte[1024]; 23 | int count; 24 | while ((count = in.read(buffer, 0, 1024)) != -1) { 25 | out.write(buffer, 0, count); 26 | out.flush(); 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/repo/dl/Downloader.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo.dl; 2 | 3 | import java.io.File; 4 | import java.io.IOException; 5 | import java.net.MalformedURLException; 6 | 7 | public interface Downloader { 8 | 9 | /** 10 | * Download the content at the URL given and save it locally. 11 | * This interface is used to switch between HTTP connector. 12 | * 13 | * In the context of Maven, the connection need to pass through Maven API in order 14 | * to benefit from its proxy configuration. The Maven plugin would otherwise not work on enterprise network. 15 | * 16 | * @param url URL to request 17 | * @param file File where the content will be saved. 18 | * @throws Exception Connection error most likely 19 | */ 20 | void downloadUrlToFile(String url, File file) throws Exception; 21 | } 22 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/util/CompareVersionUtil.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | /** 4 | * Utility to compare 5 | * 6 | */ 7 | public class CompareVersionUtil { 8 | 9 | /** 10 | * Method that calculate if [Version 1] is under [Version 2] 11 | * 
12 |      * 1.0.1 - 1.0.2  : YES
13 |      * 1.0.1 - 2.0.1  : YES
14 |      * 1.3.2 - 1.2.5  : NO
15 |      * 1.2.3 - 1.2.3  : NO
16 |      *
17 | * === 18 | * Reimplementation of isAtOrAbove (but reverse) 19 | * https://github.com/bekk/retire.js/blob/master/node/lib/retire.js#L85 20 | * 21 | * @param version Version to compare 22 | * @param under Version serving as reference 23 | * @return True if [version] < [under] 24 | */ 25 | public static boolean isUnder(String version, String under) { 26 | String[] v1Parts = version.split("[\\.\\-]"); 27 | String[] v2Parts = under.split("[\\.\\-]"); 28 | 29 | int numberParts = Math.max(v1Parts.length,v2Parts.length); 30 | for (int i = 0; i < numberParts; i++) { 31 | if(v2Parts.length > i && "*".equals(v2Parts[i])) { 32 | continue; 33 | } 34 | 35 | int version1Segment = versionPartToInteger(v1Parts,i); 36 | int version2Segment = versionPartToInteger(v2Parts,i); 37 | 38 | if(version1Segment > version2Segment) { 39 | return false; 40 | } else if(version1Segment < version2Segment) { 41 | return true; 42 | } 43 | //else continue; 44 | } 45 | return false; //same version 46 | } 47 | 48 | public static boolean atOrAbove(String version, String atOrAbove) { 49 | String[] v1Parts = version.split("[\\.\\-]"); 50 | String[] v2Parts = atOrAbove.split("[\\.\\-]"); 51 | 52 | int numberParts = Math.max(v1Parts.length,v2Parts.length); 53 | for (int i = 0; i < numberParts; i++) { 54 | if(v2Parts.length > i && "*".equals(v2Parts[i])) { 55 | continue; 56 | } 57 | 58 | int version1Segment = versionPartToInteger(v1Parts,i); 59 | int version2Segment = versionPartToInteger(v2Parts,i); 60 | 61 | if(version1Segment < version2Segment) { 62 | return false; 63 | } else if(version1Segment > version2Segment) { 64 | return true; 65 | } 66 | //else continue; 67 | } 68 | return true; //same version 69 | } 70 | 71 | /** 72 | * Should be equivalent to: 73 | * https://github.com/bekk/retire.js/blob/master/node/lib/retire.js#L99 74 | * @param value 75 | * @return 76 | */ 77 | private static int versionPartToInteger(String[] value,int index) { 78 | if(value.length <= index) { 79 | return 0; 80 | } 81 | try { 82 | return Integer.parseInt(value[index]); 83 | } 84 | catch (NumberFormatException e) { 85 | return 0; 86 | } 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/util/HashUtil.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | import java.security.DigestException; 4 | import java.security.MessageDigest; 5 | import java.security.NoSuchAlgorithmException; 6 | 7 | public class HashUtil { 8 | 9 | public static String hashSha1(byte[] content, int offset) { 10 | try { 11 | MessageDigest digest = MessageDigest.getInstance("SHA-1"); 12 | digest.update(content, offset, content.length - offset); 13 | return toHex(digest.digest()); 14 | } catch (NoSuchAlgorithmException e) { 15 | throw new RuntimeException(e); //Will never happen, unless executed on a martian JVM. 16 | } 17 | } 18 | 19 | private static String toHex(byte[] value) { 20 | StringBuilder sb = new StringBuilder(); 21 | for (byte b : value) { 22 | sb.append(String.format("%02x", b)); 23 | } 24 | return sb.toString(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/util/RegexUtil.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | 5 | import java.util.regex.Matcher; 6 | import java.util.regex.Pattern; 7 | 8 | public class RegexUtil { 9 | 10 | private static Pattern PATTERN_REPLACE = Pattern.compile("^\\/(.*[^\\\\])\\/([^\\/]+)\\/$"); 11 | 12 | /** 13 | * 14 | * @param pattern Pattern to find containing a single group to match. The group is mark in parentheses. 15 | * @param data The source of data to process (URI, filename, js content, ..) 16 | * @return Match of the first group extract 17 | */ 18 | public static String simpleMatch(Pattern pattern, String data) { 19 | try { 20 | Matcher m = pattern.matcher(data); 21 | validateRegexResult(m); 22 | return m.find() ? m.group(1) : null; 23 | } 24 | catch (IllegalArgumentException iae) { 25 | throw iae; 26 | } 27 | catch (Throwable t) { //Some regex built are likely to create StackOverflow.. See issue #54 28 | return null; 29 | } 30 | } 31 | 32 | /** 33 | * 34 | * @param replacePattern The format expected is /(FIND_SOMETHING)/(REPLACE_BY_SOMETHING)/ 35 | * @param data The source of data to process (URI, filename, js content, ..) 36 | * @return Match of the first group extract 37 | */ 38 | public static String replaceMatch(String replacePattern, String data) { 39 | Matcher mRP = PATTERN_REPLACE.matcher(replacePattern); 40 | if(mRP.find() || mRP.groupCount() != 3) { //Extract the replace pattern /(FIND_SOMETHING)/(REPLACE_BY_SOMETHING)/ 41 | String patternToFind = mRP.group(1); 42 | String replaceBy = mRP.group(2); 43 | Log.debug("Pattern to find: "+patternToFind); 44 | Log.debug("Replace by: "+replaceBy); 45 | 46 | Matcher m = Pattern.compile(patternToFind).matcher(data); 47 | validateRegexResult(m); 48 | if(m.find()) { //Do the replacement 49 | return m.group(0).replaceAll(patternToFind, replaceBy); 50 | } 51 | else { 52 | return null; //Pattern was not found.. 53 | } 54 | } 55 | else { 56 | throw new RuntimeException("Invalid replace pattern."); 57 | } 58 | } 59 | 60 | private static void validateRegexResult(Matcher m) { 61 | if(m.find() && m.groupCount() == 0) throw new IllegalArgumentException("The regex is expected to contain at least one group."); 62 | m.reset(); //Needed to use find() again 63 | } 64 | 65 | public static String replaceVersion(String regex) { 66 | //Note : It is important to load the repository file in UTF-8 (as it is encoded in this file) 67 | regex = regex.replace("§§version§§","[0-9][0-9.a-z_\\\\\\\\-]+"); 68 | if(regex.contains("{")) { 69 | regex = regex.replaceAll("\\{\\}", "\\\\{\\\\}"); //Exception {} is interpret as empty number of char as in [a-z]{1337} 70 | } 71 | if(regex.contains("\n")) { 72 | regex = regex.replaceAll("\n","\\\\n"); 73 | } 74 | if(regex.contains("[")) { 75 | regex = regex.replaceAll("\\[\\]", "\\\\[\\\\]"); // see https://github.com/RetireJS/retire.js/issues/382 for jquery.datatables 76 | } 77 | return regex; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/vuln/DescriptionModel.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.vuln; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | public class DescriptionModel { 7 | 8 | private String detectedLibrary; 9 | private String detectedVersion; 10 | 11 | private final List links = new ArrayList(); 12 | private String aboveVersion; 13 | private String belowVersion; 14 | 15 | public String getDetectedLibrary() { 16 | return detectedLibrary; 17 | } 18 | 19 | public void setDetectedLibrary(String detectedLibrary) { 20 | this.detectedLibrary = detectedLibrary; 21 | } 22 | 23 | public String getDetectedVersion() { 24 | return detectedVersion; 25 | } 26 | 27 | public void setDetectedVersion(String detectedVersion) { 28 | this.detectedVersion = detectedVersion; 29 | } 30 | 31 | public List getLinks() { 32 | return links; 33 | } 34 | 35 | public String getAboveVersion() { 36 | return aboveVersion; 37 | } 38 | 39 | public void setAboveVersion(String aboveVersion) { 40 | this.aboveVersion = aboveVersion; 41 | } 42 | 43 | public String getBelowVersion() { 44 | return belowVersion; 45 | } 46 | 47 | public void setBelowVersion(String belowVersion) { 48 | this.belowVersion = belowVersion; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /retirejs-core/src/main/java/com/h3xstream/retirejs/vuln/TemplateBuilder.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.vuln; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.github.mustachejava.DefaultMustacheFactory; 5 | import com.github.mustachejava.Mustache; 6 | import com.github.mustachejava.MustacheFactory; 7 | 8 | import java.io.*; 9 | import java.util.List; 10 | 11 | public class TemplateBuilder { 12 | 13 | public static String buildDescription(String templateFile, String detectedLibrary,String detectedVersion,List urls,String aboveVersion,String belowVersion) { 14 | InputStream tpl = TemplateBuilder.class.getResourceAsStream(templateFile); 15 | 16 | if(tpl == null) return errorResult(null); 17 | 18 | try { 19 | //Build the model mapped to the template 20 | DescriptionModel model = new DescriptionModel(); 21 | model.setDetectedLibrary(detectedLibrary); 22 | model.setDetectedVersion(detectedVersion); 23 | model.getLinks().addAll(urls); 24 | model.setAboveVersion(aboveVersion == null || "".equals(aboveVersion) ? "*" : aboveVersion); 25 | model.setBelowVersion(belowVersion); 26 | 27 | //Compile the template 28 | MustacheFactory mf = new DefaultMustacheFactory(); 29 | Mustache mustache = mf.compile(new InputStreamReader(tpl), ""); 30 | 31 | //OutputStream to String 32 | ByteArrayOutputStream outBuffer = new ByteArrayOutputStream(); 33 | mustache.execute(new PrintWriter(outBuffer), model).flush(); 34 | return outBuffer.toString(); 35 | } catch (IOException e) { 36 | return errorResult(e); 37 | } 38 | } 39 | 40 | private static String errorResult(Exception e) { 41 | Log.error("Unable to generate the description." + (e != null? e.getMessage():"")); 42 | return "An error occurs while loading description template."; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/PrettyDisplay.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import java.util.Arrays; 4 | import java.util.List; 5 | import java.util.Map; 6 | 7 | public class PrettyDisplay { 8 | 9 | /** 10 | * Display the result of a scan to the command line. 11 | * Used by tests including "VulnerabilitiesRepositorySearch***" 12 | * @param results 13 | */ 14 | public static void displayResults(List results) { 15 | System.out.println("=================================="); 16 | System.out.println("Results:"); 17 | int i=0; 18 | for(JsLibraryResult res : results) { 19 | System.out.printf("%d. '%s' is under the version '%s' and above '%s'. " + 20 | "Therefore, it is vulnerable to :%n%s%n" + 21 | "Identifiers: %s%n" + 22 | "Severity: %s%n", 23 | i++, 24 | res.getLibrary().getName(), 25 | res.getVuln().getBelow(), 26 | res.getVuln().getAtOrAbove(), 27 | Arrays.toString(res.getVuln().getInfo().toArray()), 28 | mapToString(res.getVuln().getIdentifiers()), 29 | res.getVuln().getSeverity() 30 | ); 31 | } 32 | if(results.size() == 0) { 33 | System.out.println("Nothing found."); 34 | } 35 | 36 | System.out.println("=================================="); 37 | } 38 | 39 | private static String mapToString(Map> identifiers) { 40 | StringBuilder buffer = new StringBuilder(); 41 | for(Map.Entry> e : identifiers.entrySet()) { 42 | buffer.append(e.getKey()).append(": \'") // 43 | .append(Arrays.toString(e.getValue().toArray())) // 44 | .append("\'"); 45 | } 46 | return buffer.toString(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/ScannerFacadeTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import org.testng.annotations.BeforeClass; 5 | import org.testng.annotations.Test; 6 | 7 | import java.io.IOException; 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | 11 | import static org.mockito.Matchers.any; 12 | import static org.mockito.Matchers.anyString; 13 | import static org.mockito.Mockito.*; 14 | import static org.testng.Assert.assertEquals; 15 | 16 | public class ScannerFacadeTest { 17 | 18 | private static List EMPTY_RESULT = new ArrayList(); 19 | 20 | 21 | private static List ONE_RESULT = new ArrayList(); 22 | { 23 | ONE_RESULT.add(mock(JsLibraryResult.class)); 24 | } 25 | 26 | private static List MANY_RESULTS = new ArrayList(); 27 | { 28 | MANY_RESULTS.add(mock(JsLibraryResult.class)); 29 | MANY_RESULTS.add(mock(JsLibraryResult.class)); 30 | } 31 | 32 | private static String DUMMY_SCRIPT = "/* yolo.js 1.3.3.7 */ eval(decodeURIComponent(window.location.hash))"; 33 | private static String DUMMY_SCRIPT_SHA1 = "0158eb7c7a9cb37a3a2180edc5f159ad1c55bb05"; 34 | 35 | 36 | 37 | @BeforeClass 38 | public void setUp() { 39 | Log.DEBUG(); 40 | } 41 | 42 | @Test 43 | public void uriMatch() throws IOException { 44 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 45 | 46 | //Init. mock 47 | VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); 48 | when(repo.findByUri("/js/yolo.js")).thenReturn(ONE_RESULT); 49 | 50 | //Call the scanner logic 51 | ScannerFacade scanner = new ScannerFacade(repo); 52 | List results = scanner.scanScript("/js/yolo.js",DUMMY_SCRIPT.getBytes(),0); 53 | 54 | //Assertions 55 | assertEquals(results.size(),1,"Expect one result."); 56 | verify(repo).findByUri("/js/yolo.js"); 57 | verify(repo,never()).findByFilename(anyString()); 58 | verify(repo,never()).findByHash(anyString()); 59 | verify(repo,never()).findByFileContent(anyString()); 60 | } 61 | 62 | @Test 63 | public void filenameMatch() throws IOException { 64 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 65 | 66 | //Init. mock 67 | VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); 68 | when(repo.findByUri("/js/yolo.js")).thenReturn(EMPTY_RESULT); 69 | when(repo.findByFilename("yolo.js")).thenReturn(ONE_RESULT); 70 | 71 | //Call the scanner logic 72 | ScannerFacade scanner = new ScannerFacade(repo); 73 | List results = scanner.scanScript("/js/yolo.js",DUMMY_SCRIPT.getBytes(),0); 74 | 75 | //Assertions 76 | assertEquals(results.size(),1,"Expect one result."); 77 | verify(repo).findByUri("/js/yolo.js"); 78 | verify(repo).findByFilename("yolo.js"); 79 | verify(repo,never()).findByHash(anyString()); 80 | verify(repo,never()).findByFileContent(anyString()); 81 | } 82 | 83 | @Test 84 | public void hashMatch() throws IOException { 85 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 86 | 87 | //Init. mock 88 | VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); 89 | when(repo.findByUri("/js/yolo.js")).thenReturn(EMPTY_RESULT); 90 | when(repo.findByFilename("yolo.js")).thenReturn(EMPTY_RESULT); 91 | when(repo.findByHash(DUMMY_SCRIPT_SHA1)).thenReturn(ONE_RESULT); 92 | 93 | //Call the scanner logic 94 | ScannerFacade scanner = new ScannerFacade(repo); 95 | List results = scanner.scanScript("/js/yolo.js",DUMMY_SCRIPT.getBytes(),0); 96 | 97 | //Assertions 98 | assertEquals(results.size(),1,"Expect one result."); 99 | verify(repo).findByUri("/js/yolo.js"); 100 | verify(repo).findByFilename("yolo.js"); 101 | verify(repo).findByHash(DUMMY_SCRIPT_SHA1); 102 | verify(repo,never()).findByFileContent(anyString()); 103 | } 104 | 105 | @Test 106 | public void contentMatch() throws IOException { 107 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 108 | 109 | //Init. mock 110 | VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); 111 | when(repo.findByUri("/js/yolo.js")).thenReturn(EMPTY_RESULT); 112 | when(repo.findByFilename("yolo.js")).thenReturn(EMPTY_RESULT); 113 | when(repo.findByHash(DUMMY_SCRIPT_SHA1)).thenReturn(EMPTY_RESULT); 114 | when(repo.findByFileContent(DUMMY_SCRIPT)).thenReturn(ONE_RESULT); 115 | 116 | //Call the scanner logic 117 | ScannerFacade scanner = new ScannerFacade(repo); 118 | List results = scanner.scanScript("/js/yolo.js",DUMMY_SCRIPT.getBytes(),0); 119 | 120 | //Assertions 121 | assertEquals(results.size(),1,"Expect one result."); 122 | verify(repo).findByUri("/js/yolo.js"); 123 | verify(repo).findByFilename("yolo.js"); 124 | verify(repo).findByHash(DUMMY_SCRIPT_SHA1); 125 | verify(repo).findByFileContent(DUMMY_SCRIPT); 126 | } 127 | 128 | @Test 129 | public void noMatch() throws IOException { 130 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 131 | 132 | //Init. mock 133 | VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); 134 | when(repo.findByUri("/js/yolo.js")).thenReturn(EMPTY_RESULT); 135 | when(repo.findByFilename("yolo.js")).thenReturn(EMPTY_RESULT); 136 | when(repo.findByHash(DUMMY_SCRIPT_SHA1)).thenReturn(EMPTY_RESULT); 137 | when(repo.findByFileContent(DUMMY_SCRIPT)).thenReturn(EMPTY_RESULT); 138 | 139 | //Call the scanner logic 140 | ScannerFacade scanner = new ScannerFacade(repo); 141 | List results = scanner.scanScript("/js/yolo.js",DUMMY_SCRIPT.getBytes(),0); 142 | 143 | //Assertions 144 | assertEquals(results.size(),0,"Expect one result."); 145 | verify(repo).findByUri("/js/yolo.js"); 146 | verify(repo).findByFilename("yolo.js"); 147 | verify(repo).findByHash(DUMMY_SCRIPT_SHA1); 148 | verify(repo).findByFileContent(DUMMY_SCRIPT); 149 | } 150 | } -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositoryLoaderManualTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | 5 | import java.io.IOException; 6 | import org.json.JSONException; 7 | 8 | import static org.testng.Assert.assertTrue; 9 | 10 | /** 11 | * Used to test the lookup of the remote repository. 12 | */ 13 | public class VulnerabilitiesRepositoryLoaderManualTest { 14 | public static void main(String[] args) throws IOException, JSONException { 15 | Log.DEBUG(); 16 | 17 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 18 | VulnerabilitiesRepositoryLoader loader = new VulnerabilitiesRepositoryLoader(); 19 | VulnerabilitiesRepository localRepoLoad = loader.load(); 20 | 21 | assertTrue(localRepoLoad.jsLibrares.size() > 0, "No library was loaded."); 22 | } 23 | 24 | } 25 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositoryLoaderTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | 4 | import com.esotericsoftware.minlog.Log; 5 | import org.testng.annotations.BeforeClass; 6 | import org.testng.annotations.Test; 7 | 8 | import java.io.IOException; 9 | import org.json.JSONException; 10 | 11 | import static org.testng.Assert.assertTrue; 12 | 13 | public class VulnerabilitiesRepositoryLoaderTest { 14 | 15 | @BeforeClass 16 | public void setUp() { 17 | Log.DEBUG(); 18 | } 19 | 20 | @Test 21 | public void testRepositoryLoad() throws IOException, JSONException { 22 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; 23 | 24 | 25 | VulnerabilitiesRepositoryLoader loader = new VulnerabilitiesRepositoryLoader(); 26 | VulnerabilitiesRepository localRepoLoad = loader.load(); 27 | 28 | assertTrue(localRepoLoad.jsLibrares.size() > 0, "No library was loaded."); 29 | } 30 | 31 | 32 | @Test(enabled=true) //Not sure if this test should be kept enabled by default since it create file in user dir 33 | public void testRepositoryLoadRemote() throws IOException, JSONException { 34 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 35 | 36 | 37 | VulnerabilitiesRepositoryLoader loader = new VulnerabilitiesRepositoryLoader(); 38 | VulnerabilitiesRepository localRepoLoad = loader.load(); 39 | 40 | assertTrue(localRepoLoad.jsLibrares.size() > 0, "No library was loaded."); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositorySearchByContentTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import org.apache.commons.io.IOUtils; 5 | import org.testng.annotations.BeforeClass; 6 | import org.testng.annotations.Test; 7 | 8 | import java.io.IOException; 9 | import java.util.List; 10 | 11 | import static com.h3xstream.retirejs.repo.PrettyDisplay.displayResults; 12 | import org.json.JSONException; 13 | import static org.testng.Assert.assertEquals; 14 | 15 | public class VulnerabilitiesRepositorySearchByContentTest { 16 | VulnerabilitiesRepository repo; 17 | 18 | @BeforeClass 19 | public void setUp() throws IOException, JSONException { 20 | Log.DEBUG(); 21 | 22 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 23 | String filePathTestRepo = getClass().getResource("/retirejs_repository_test.json").toExternalForm(); 24 | repo = new VulnerabilitiesRepositoryLoader().load(filePathTestRepo); 25 | } 26 | 27 | @Test 28 | public void findJqueryByContent() throws IOException { 29 | 30 | 31 | String scriptJquery = IOUtils.toString(getClass().getResource("/js/jquery-1.6.2.js")); 32 | 33 | List res = repo.findByFileContent(scriptJquery); 34 | displayResults(res); 35 | assertEquals(res.size(), 2, "Jquery not found (file:/js/jquery-1.6.2.js)"); 36 | 37 | 38 | } 39 | 40 | @Test 41 | public void findByContentNoFalsePositive() throws IOException { 42 | 43 | String scriptAngularJs = IOUtils.toString(getClass().getResource("/js/angular.safe.js")); 44 | List res = repo.findByFileContent(scriptAngularJs); 45 | displayResults(res); 46 | assertEquals(res.size(), 0, "No signature are expect to trigger.."); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositorySearchByFilenameTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import org.testng.annotations.BeforeClass; 5 | import org.testng.annotations.Test; 6 | 7 | import java.io.IOException; 8 | import java.util.List; 9 | 10 | import static com.h3xstream.retirejs.repo.PrettyDisplay.displayResults; 11 | import org.json.JSONException; 12 | import static org.testng.Assert.assertEquals; 13 | 14 | public class VulnerabilitiesRepositorySearchByFilenameTest { 15 | VulnerabilitiesRepository repo; 16 | 17 | @BeforeClass 18 | public void setUp() throws IOException, JSONException { 19 | Log.DEBUG(); 20 | 21 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 22 | 23 | String filePathTestRepo = getClass().getResource("/retirejs_repository_test.json").toExternalForm(); 24 | repo = new VulnerabilitiesRepositoryLoader().load(filePathTestRepo); 25 | } 26 | 27 | @Test 28 | public void findJqueryByFilename() throws IOException { 29 | 30 | List res = repo.findByFilename("/jquery-1.6.2.js"); 31 | displayResults(res); 32 | assertEquals(res.size(), 2, "Jquery not found (/jquery-1.6.2.js)"); 33 | 34 | res = repo.findByFilename("/jquery-1.6.3.js"); 35 | displayResults(res); 36 | assertEquals(res.size(), 1, "Jquery not found (/jquery-1.6.3.js)"); 37 | 38 | res = repo.findByFilename("/trolololol/jquery-1.8.9.min.js"); 39 | displayResults(res); 40 | assertEquals(res.size(), 1, "Jquery not found (/jquery-1.8.9.min.js)"); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositorySearchByHashTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import org.testng.annotations.BeforeClass; 5 | import org.testng.annotations.Test; 6 | 7 | import java.io.IOException; 8 | import java.util.List; 9 | 10 | import static com.h3xstream.retirejs.repo.PrettyDisplay.displayResults; 11 | import org.json.JSONException; 12 | import static org.testng.Assert.assertEquals; 13 | 14 | public class VulnerabilitiesRepositorySearchByHashTest { 15 | 16 | VulnerabilitiesRepository repo; 17 | 18 | @BeforeClass 19 | public void setUp() throws IOException, JSONException { 20 | Log.DEBUG(); 21 | 22 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 23 | 24 | String filePathTestRepo = getClass().getResource("/retirejs_repository_test.json").toExternalForm(); 25 | repo = new VulnerabilitiesRepositoryLoader().load(filePathTestRepo); 26 | } 27 | 28 | @Test 29 | public void findDojoByHash() throws IOException { 30 | 31 | //Hash 32 | // byte[] scriptBytes = IOUtils.toByteArray(getClass().getResource("/js/dojo-1.4.1.js")); 33 | // String hash = HashUtil.hashSha1(scriptBytes, 0); 34 | // System.out.println("Hash computed: "+hash); 35 | 36 | List res = repo.findByHash("73cdd262799aab850abbe694cd3bfb709ea23627");; 37 | displayResults(res); 38 | assertEquals(res.size(), 2, "Dojo 1.4.1 was expected to be found"); 39 | 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/repo/VulnerabilitiesRepositorySearchByUriTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.repo; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import org.testng.annotations.BeforeClass; 5 | import org.testng.annotations.Test; 6 | 7 | import java.io.IOException; 8 | import java.util.List; 9 | 10 | import static com.h3xstream.retirejs.repo.PrettyDisplay.displayResults; 11 | import org.json.JSONException; 12 | import static org.testng.Assert.assertEquals; 13 | 14 | /** 15 | * Test the class VulnerabilitiesRepository 16 | */ 17 | public class VulnerabilitiesRepositorySearchByUriTest { 18 | 19 | VulnerabilitiesRepository repo; 20 | 21 | @BeforeClass 22 | public void setUp() throws IOException, JSONException { 23 | Log.DEBUG(); 24 | 25 | VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = true; 26 | String filePathTestRepo = getClass().getResource("/retirejs_repository_test.json").toExternalForm(); 27 | repo = new VulnerabilitiesRepositoryLoader().load(filePathTestRepo); 28 | } 29 | 30 | @Test 31 | public void findJqueryByUri() throws IOException { 32 | 33 | List res = repo.findByUri("/1.6.2/jquery.js"); 34 | displayResults(res); 35 | assertEquals(res.size() , 2, "Jquery not found (/1.6.2/jquery.js)"); 36 | 37 | res = repo.findByUri("/1.6.3/jquery.js"); 38 | displayResults(res); 39 | assertEquals(res.size() , 1, "Jquery not found (/1.6.3/jquery.js)"); 40 | 41 | res = repo.findByUri("/1.8.9/jquery.min.js"); 42 | displayResults(res); 43 | assertEquals(res.size() , 1, "Jquery not found (/1.8.9/jquery.min.js)"); 44 | } 45 | 46 | @Test 47 | public void findEmberByUri() throws IOException { 48 | 49 | List res = repo.findByUri("/v1.3.0-1/ember.js"); 50 | displayResults(res); 51 | assertEquals(res.size() , 2, "Ember not found (/v1.3.0-1/ember.js)"); 52 | 53 | res = repo.findByUri("/1.0.0-rc.5/ember.min.js"); 54 | displayResults(res); 55 | assertEquals(res.size() , 2, "Ember not found (/1.0.0-rc.5/ember.min.js)"); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/util/CompareVersionUtilTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | import org.testng.annotations.Test; 4 | 5 | import static org.testng.Assert.assertFalse; 6 | import static org.testng.Assert.assertTrue; 7 | 8 | public class CompareVersionUtilTest { 9 | 10 | //Tests for isUnder method 11 | 12 | @Test 13 | public void basicPatternsUnder() { 14 | 15 | assertIsUnder("1.0.1","1.0.2"); 16 | assertIsUnder("1.0.1","2.0.1"); 17 | assertIsNotUnder("1.3.2", "1.2.5"); 18 | assertIsNotUnder("5.0.1","5.0.1"); //Same 19 | } 20 | 21 | @Test 22 | public void wildPatternsUnder() { 23 | assertIsUnder("1.2.0","1.2.1-*"); 24 | assertIsUnder("1.2.0-2","1.2.1-*"); 25 | assertIsNotUnder("1.2.0-1","1.2.0-*"); 26 | assertIsNotUnder("1.2.0-0", "1.1.9-*"); 27 | assertIsNotUnder("1.2.0-0", "1.1.0-*"); 28 | assertIsNotUnder("1.2.0", "1.1.0-*"); 29 | assertIsNotUnder("1.2.0", "1.2.0-*"); //Under is exclusive (== is not under) 30 | } 31 | 32 | @Test 33 | public void variousPatternsUnder() { 34 | 35 | assertIsUnder("1.3.0-beta.2","1.3.0-beta.3"); 36 | assertIsNotUnder("1.3.0-alpha.1", "1.2.9-alpha.2"); 37 | assertIsNotUnder("1.3.0-alpha.1", "1.3.0-alpha.1"); 38 | assertIsUnder("1.3.0-alpha.1", "1.3.0-alpha.2"); 39 | assertIsNotUnder("1.3.0-alpha.1", "1.3.0-alpha.1"); //Same 40 | } 41 | 42 | //Tests for atOrAbove method 43 | 44 | @Test 45 | public void basicPatternsAtOrAbove() { 46 | 47 | assertAtOrAbove("1.0.2","1.0.1"); 48 | assertAtOrAbove("2.0.1","1.0.1"); 49 | assertNotAtOrAbove("1.2.5","1.3.2"); 50 | assertNotAtOrAbove("1.2.5","2.3.2"); 51 | assertAtOrAbove("7.3.5", "7.3.5"); 52 | } 53 | 54 | @Test 55 | public void wildPatternsAtOrAbove() { 56 | assertAtOrAbove("1.2.1","1.2.0-*"); 57 | assertAtOrAbove("1.2.1-2","1.2.0-*"); 58 | assertAtOrAbove("1.2.0-1","1.2.0-*"); 59 | assertNotAtOrAbove("1.1.9-9","1.2.0-*"); 60 | assertNotAtOrAbove("1.1.0-0","1.2.0-*"); 61 | assertNotAtOrAbove("1.1.0","1.2.0-*"); 62 | assertAtOrAbove("1.2.0","1.2.0-*"); //Under is exclusive (== is not under) 63 | } 64 | 65 | @Test 66 | public void variousPatternsAtOrAbove() { 67 | 68 | assertNotAtOrAbove("1.3.0-beta.2","1.3.0-beta.3"); 69 | assertAtOrAbove("1.3.0-alpha.1", "1.2.9-alpha.2"); 70 | assertAtOrAbove("1.3.0-alpha.1", "1.3.0-alpha.1"); 71 | assertNotAtOrAbove("1.3.0-alpha.1", "1.3.0-alpha.2"); 72 | assertAtOrAbove("1.3.0-alpha.1", "1.3.0-alpha.1"); //Same 73 | } 74 | 75 | //Utility methods to create intuitive messages when tests failed 76 | 77 | private void assertIsUnder(String version1,String version2){ 78 | CompareVersionUtil v = new CompareVersionUtil(); 79 | assertTrue(v.isUnder(version1,version2),String.format("Version '%s' should be under '%s'",version1,version2)); 80 | } 81 | 82 | private void assertIsNotUnder(String version1,String version2){ 83 | CompareVersionUtil v = new CompareVersionUtil(); 84 | assertFalse(v.isUnder(version1,version2),String.format("Version '%s' should not be under '%s'",version1,version2)); 85 | } 86 | 87 | private void assertAtOrAbove(String version1,String version2){ 88 | CompareVersionUtil v = new CompareVersionUtil(); 89 | assertTrue(v.atOrAbove(version1,version2),String.format("Version '%s' should be at or above '%s'",version1,version2)); 90 | } 91 | 92 | private void assertNotAtOrAbove(String version1,String version2){ 93 | CompareVersionUtil v = new CompareVersionUtil(); 94 | assertFalse(v.atOrAbove(version1,version2),String.format("Version '%s' should not be at or above '%s'",version1,version2)); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/util/RegexUtilReplaceVersionTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | import static org.testng.Assert.assertEquals; 4 | 5 | import org.testng.annotations.Test; 6 | 7 | public class RegexUtilReplaceVersionTest { 8 | 9 | @Test 10 | public void shouldReplaceVersionString() { 11 | String source = "§§version§§"; 12 | 13 | String escaped = RegexUtil.replaceVersion(source); 14 | 15 | assertEquals(escaped, "[0-9][0-9.a-z_\\\\\\\\-]+"); 16 | } 17 | 18 | @Test 19 | public void shouldReplaceNewlines() { 20 | String source = "/\\*!?[\n *]"; 21 | 22 | String escaped = RegexUtil.replaceVersion(source); 23 | 24 | assertEquals(escaped, "/\\*!?[\\n *]"); 25 | } 26 | 27 | @Test 28 | public void shouldReplaceCurlyBracesPairs() { 29 | String source = "a=t.Backbone={}}"; 30 | 31 | String escaped = RegexUtil.replaceVersion(source); 32 | 33 | assertEquals(escaped, "a=t.Backbone=\\{\\}}"); 34 | } 35 | 36 | @Test 37 | public void shouldReplaceSquareBracesPairs() { 38 | String source = ";u.settings=[]"; 39 | 40 | String escaped = RegexUtil.replaceVersion(source); 41 | 42 | assertEquals(escaped, ";u.settings=\\[\\]"); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/util/RegexUtilTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.util; 2 | 3 | import org.apache.commons.io.IOUtils; 4 | import org.testng.annotations.Test; 5 | 6 | import java.io.ByteArrayOutputStream; 7 | import java.io.IOException; 8 | import java.nio.ByteBuffer; 9 | import java.util.regex.Pattern; 10 | 11 | import static org.testng.Assert.assertEquals; 12 | import static org.testng.Assert.assertNull; 13 | import static org.testng.Assert.fail; 14 | 15 | public class RegexUtilTest { 16 | @Test 17 | public void testSimpleRegex() { 18 | Pattern pattern1 = Pattern.compile("simplelib_([\\d]\\.[\\d]\\.[\\d]).js"); 19 | 20 | String valueExtract = RegexUtil.simpleMatch(pattern1, "simplelib_1.2.3.js"); 21 | 22 | assertEquals(valueExtract,"1.2.3"); 23 | } 24 | 25 | @Test 26 | public void testUnexpectedRegex() { 27 | //Regex with missing group 28 | Pattern pattern1 = Pattern.compile("simplelib_[\\d]\\.[\\d]\\.[\\d].js"); 29 | 30 | try { 31 | String valueExtract = RegexUtil.simpleMatch(pattern1, "simplelib_1.2.3.js"); 32 | fail("The regex passed is invalid. A group should be specify."); 33 | } 34 | catch(IllegalArgumentException e) { 35 | System.out.println("As expected"); 36 | } 37 | } 38 | 39 | @Test 40 | public void testReplaceMatchFound() { 41 | //Ref: http://ajax.googleapis.com/ajax/libs/dojo/1.10.1/dojo/dojo.js 42 | String dojoContent = ";dojo.version={major:1,minor:10,patch:1,flag:\"\","; 43 | String dojoRegex = "/dojo.version=\\{major:([0-9]+),minor:([0-9]+),patch:([0-9]+)/$1.$2.$3/"; 44 | 45 | String extractedVersion = RegexUtil.replaceMatch(dojoRegex,dojoContent); 46 | System.out.println(extractedVersion); 47 | 48 | assertEquals(extractedVersion, "1.10.1"); 49 | } 50 | 51 | @Test 52 | public void testReplaceMatchNotFound() { 53 | String dojoContent = ";dojo.version={major:1,m1N0r:10,patch:1,flag:\"\""; 54 | String dojoRegex = "/dojo.version=\\{major:([0-9]+),minor:([0-9]+),patch:([0-9]+)/$1.$2.$3/"; 55 | 56 | String extractedVersion = RegexUtil.replaceMatch(dojoRegex,dojoContent); 57 | 58 | assertNull(extractedVersion); 59 | } 60 | 61 | /** 62 | * This test make sure the bug #54 is fixed. 63 | */ 64 | @Test 65 | public void testRegexStackOverflow() throws IOException { 66 | Pattern p = Pattern.compile("/\\*!?[\\n *]+jQuery UI ([0-9][0-9.a-z_\\\\\\\\-]+)(.*\\n)*.*\\.ui\\.dialog"); 67 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 68 | IOUtils.copy(this.getClass().getResourceAsStream("/js/jquery-ui-1.6rc6-customized.js"),out); 69 | assertNull(RegexUtil.simpleMatch(p,new String(out.toByteArray(),"UTF-8"))); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /retirejs-core/src/test/java/com/h3xstream/retirejs/vuln/TemplateBuilderTest.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs.vuln; 2 | 3 | import org.testng.annotations.Test; 4 | 5 | import java.io.IOException; 6 | import java.io.InputStream; 7 | import java.util.Arrays; 8 | import java.util.List; 9 | 10 | import static org.testng.Assert.assertFalse; 11 | import static org.testng.Assert.assertTrue; 12 | 13 | public class TemplateBuilderTest { 14 | 15 | 16 | @Test 17 | public void testTemplateFile() throws IOException { 18 | List urls = Arrays.asList("http://blog.h3xstream.com","https://csrf.me/"); 19 | String result=TemplateBuilder.buildDescription("/basic_template.txt","yolo.js","1.3.3.7",urls,"1.0.0.0","1.3.3.8"); 20 | System.out.println(result); 21 | 22 | assertTrue(result.contains("yolo.js"), "Missing library name"); 23 | assertTrue(result.contains("1.3.3.7"), "Missing library version"); 24 | assertTrue(result.contains("1.0.0.0"), "Missing library version 'atOrAbove'"); 25 | assertTrue(result.contains("1.3.3.8"), "Missing library version 'below'"); 26 | assertTrue(result.contains("h3xstream.com"), "Missing link #1"); 27 | assertTrue(result.contains("csrf.me"), "Missing link #2"); 28 | } 29 | 30 | @Test 31 | public void testTemplateNotFound() throws IOException { 32 | List urls = Arrays.asList("http://blog.h3xstream.com","https://csrf.me/"); 33 | String result=TemplateBuilder.buildDescription("/ouuuuuuups/basic_template.txt","yolo.js","1.3.3.7",urls,"1.0.0.0","1.3.3.8"); 34 | System.out.println(result); 35 | 36 | assertTrue(result.contains("error"),"An error message was expected."); 37 | assertFalse(result.contains("yolo.js"),"The template should not have been generated."); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /retirejs-core/src/test/resources/basic_template.txt: -------------------------------------------------------------------------------- 1 | THIS IS A DUMMY TEMPLATE USED FOR TESTS ONLY 2 | 3 | The library {{detectedLibrary}} version {{detectedVersion}} has known security issues. 4 | 5 | {{#links}} 6 | - {{.}} 7 | {{/links}} 8 | 9 | The vulnerability is affecting all versions prior {{belowVersion}} (between {{aboveVersion}} and {{belowVersion}}) -------------------------------------------------------------------------------- /retirejs-core/src/test/resources/retirejs_repository_test.json: -------------------------------------------------------------------------------- 1 | { 2 | "retire-example": { 3 | "vulnerabilities" : [ 4 | { "below" : "0.0.2", "info" : [ "http://github.com/eoftedal/retire.js/" ] } 5 | ], 6 | "extractors" : { 7 | "func" : [ "retire.VERSION" ], 8 | "filename" : [ "retire-example-(§§version§§)(.min)?\\.js" ], 9 | "filecontent" : [ "/\\*!? Retire-example v(§§version§§)" ], 10 | "hashes" : { "07f8b94c8d601a24a1914a1a92bec0e4fafda964" : "0.0.1" } 11 | } 12 | }, 13 | 14 | "jquery": { 15 | "vulnerabilities" : [ 16 | { 17 | "below" : "1.6.3", 18 | "severity": "medium", 19 | "identifiers": { "CVE": "CVE-2011-4969" }, 20 | "info" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969" , "http://research.insecurelabs.org/jquery/test/" ] 21 | }, 22 | { 23 | "below" : "1.9.0b1", 24 | "identifiers": { 25 | "bug": "11290", 26 | "summary": "Selector interpreted as HTML" 27 | }, 28 | "severity": "medium", 29 | "info" : [ "http://bugs.jquery.com/ticket/11290" , "http://research.insecurelabs.org/jquery/test/" ]} 30 | ], 31 | "extractors" : { 32 | "func" : [ "jQuery.fn.jquery" ], 33 | "uri" : [ "/(§§version§§)/jquery(\\.min)?\\.js" ], 34 | "filename" : [ "jquery-(§§version§§)(\\.min)?\\.js" ], 35 | "filecontent" : [ 36 | "/\\*!? jQuery v(§§version§§)", "\\* jQuery JavaScript Library v(§§version§§)", 37 | "\\* jQuery (§§version§§) - New Wave Javascript", "// \\$Id: jquery.js,v (§§version§§)", 38 | "/\\*! jQuery v(§§version§§)", "[^a-z]f=\"(§§version§§)\",.*[^a-z]jquery:f,", 39 | "[^a-z]jquery:[ ]?\"(§§version§§)\"" 40 | ], 41 | "hashes" : {} 42 | } 43 | }, 44 | "jquery-migrate" : { 45 | "vulnerabilities" : [ 46 | { 47 | "below" : "1.2.0", 48 | "severity": "medium", 49 | "identifiers": { 50 | "release": "jQuery Migrate 1.2.0 Released", 51 | "summary": "cross-site-scripting" 52 | }, 53 | "info" : [ "http://blog.jquery.com/2013/05/01/jquery-migrate-1-2-0-released/" ] 54 | }, 55 | { 56 | "below" : "1.2.2", 57 | "severity": "medium", 58 | "identifiers": { 59 | "bug": "11290", 60 | "summary": "Selector interpreted as HTML" 61 | }, 62 | "info" : [ "http://bugs.jquery.com/ticket/11290" , "http://research.insecurelabs.org/jquery/test/" ] 63 | } 64 | ], 65 | "extractors" : { 66 | "filename" : [ "jquery-migrate-(§§version§§)(.min)?\\.js" ], 67 | "filecontent" : [ "/\\*!?(?:\n \\*)? jQuery Migrate(?: -)? v(§§version§§)" ], 68 | "hashes" : {} 69 | } 70 | }, 71 | "jquery-mobile" : { 72 | "vulnerabilities" : [ 73 | { 74 | "below" : "1.0RC2", 75 | "severity": "high", 76 | "identifiers": {"osvdb": ["94563", "93562", "94316", "94561", "94560"]}, 77 | "info" : [ "http://osvdb.org/show/osvdb/94563", "http://osvdb.org/show/osvdb/94562", "http://osvdb.org/show/osvdb/94316", "http://osvdb.org/show/osvdb/94561", "http://osvdb.org/show/osvdb/94560" ] 78 | }, 79 | { 80 | "below" : "1.0.1", 81 | "severity": "high", 82 | "identifiers": {"osvdb": "94317"}, 83 | "info": [ "http://osvdb.org/show/osvdb/94317" ] 84 | }, 85 | { 86 | "below" : "1.1.2", 87 | "severity": "medium", 88 | "identifiers": { 89 | "issue": "4787", 90 | "release": "http://jquerymobile.com/changelog/1.1.2/", 91 | "summary": "location.href cross-site scripting" 92 | }, 93 | "info": [ "http://jquerymobile.com/changelog/1.1.2/", "https://github.com/jquery/jquery-mobile/issues/4787" ] 94 | }, 95 | { 96 | "below" : "1.2.0", 97 | "severity": "medium", 98 | "identifiers": { 99 | "issue": "4787", 100 | "release": "http://jquerymobile.com/changelog/1.2.0/", 101 | "summary": "location.href cross-site scripting" 102 | }, 103 | "info": [ "http://jquerymobile.com/changelog/1.2.0/", "https://github.com/jquery/jquery-mobile/issues/4787" ] 104 | } 105 | ], 106 | "extractors" : { 107 | "func" : [ "jQuery.mobile.version" ], 108 | "filename" : [ "jquery.mobile-(§§version§§)(.min)?\\.js" ], 109 | "uri" : [ "/(§§version§§)/jquery.mobile(\\.min)?\\.js" ], 110 | "filecontent" : [ "/\\*!?(?:\n \\*)? jQuery Mobile(?: -)? v(§§version§§)" ], 111 | "hashes" : {} 112 | } 113 | }, 114 | "jquery-ui-dialog" : { 115 | "vulnerabilities" : [ 116 | { 117 | "atOrAbove": "1.8.9", 118 | "below" : "1.10.0", 119 | "severity": "medium", 120 | "identifiers": { 121 | "bug": "6016", 122 | "summary": "Title cross-site scripting vulnerability" 123 | }, 124 | "info" : [ "http://bugs.jqueryui.com/ticket/6016" ] 125 | } 126 | ], 127 | "extractors" : { 128 | "func" : [ "jQuery.ui.dialog.version" ], 129 | "filecontent" : [ 130 | "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.dialog\\.js", 131 | "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.dialog", 132 | "/\\*!?[\n *]+jQuery UI Dialog (§§version§§)" 133 | ], 134 | "hashes" : {} 135 | } 136 | }, 137 | "jquery-ui-autocomplete" : { 138 | "vulnerabilities" : [ ], 139 | "extractors" : { 140 | "func" : [ "jQuery.ui.autocomplete.version" ], 141 | "filecontent" : [ 142 | "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.autocomplete\\.js", 143 | "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.autocomplete", 144 | "/\\*!?[\n *]+jQuery UI Autocomplete (§§version§§)" 145 | ], 146 | "hashes" : {} 147 | } 148 | }, 149 | "jquery-ui-tooltip" : { 150 | "vulnerabilities" : [ 151 | { 152 | "atOrAbove": "1.9.2", 153 | "below" : "1.10.0", 154 | "severity": "high", 155 | "identifiers": { 156 | "bug": "8859", 157 | "summary": "Autocomplete cross-site scripting vulnerability" 158 | }, 159 | "info" : [ "http://bugs.jqueryui.com/ticket/8859" ] 160 | } 161 | ], 162 | "extractors" : { 163 | "func" : [ "jQuery.ui.tooltip.version" ], 164 | "filecontent" : [ 165 | "/\\*!? jQuery UI - v(§§version§§)(.*\n){1,3}.*jquery\\.ui\\.tooltip\\.js", 166 | "/\\*!?[\n *]+jQuery UI (§§version§§)(.*\n)*.*\\.ui\\.tooltip", 167 | "/\\*!?[\n *]+jQuery UI Tooltip (§§version§§)" 168 | ], 169 | "hashes" : {} 170 | } 171 | }, 172 | "jquery.prettyPhoto" : { 173 | "vulnerabilities" : [ 174 | { 175 | "below" : "3.1.5", 176 | "severity": "high", 177 | "identifiers": {"CVE": "CVE-2013-6837"}, 178 | "info" : [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6837&cid=3" ] 179 | } 180 | ], 181 | "extractors" : { 182 | "func" : [ "jQuery.prettyPhoto.version" ], 183 | "filecontent" : [ 184 | "/\\*(?:.*[\n\r]+){1,3}.*Class: prettyPhoto(?:.*[\n\r]+){1,3}.*Version: (§§version§§)", 185 | "\\.prettyPhoto[ ]?=[ ]?\\{version:[ ]?(?:'|\")(§§version§§)(?:'|\")\\}" 186 | ], 187 | "hashes" : {} 188 | } 189 | }, 190 | "jPlayer" : { 191 | "vulnerabilities" : [ 192 | { 193 | "below" : "2.4.0", 194 | "severity": "high", 195 | "identifiers": {"CVE": "CVE-2013-2023"}, 196 | "info" : [ "http://jplayer.org/latest/release-notes/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2023" ] 197 | }, 198 | { 199 | "below" : "2.3.0", 200 | "severity": "high", 201 | "identifiers": {"CVE": ["CVE-2013-1942", "CVE-2013-2022"]}, 202 | "info" : [ "http://jplayer.org/latest/release-notes/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1942", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2022" ] 203 | }, 204 | { 205 | "below" : "2.2.0", 206 | "severity": "high", 207 | "identifiers": { 208 | "release": "2.2.0", 209 | "summary": "Flash SWF vulnerability" 210 | }, 211 | "info" : [ "http://jplayer.org/latest/release-notes/" ] 212 | } 213 | ], 214 | "extractors" : { 215 | "func" : [ "new jQuery.jPlayer().version.script" ], 216 | "filecontent" : [ 217 | "/\\*(?:.*[\n\r]+){1,3}.*jPlayer Plugin for jQuery(?:.*[\n\r]+){1,10}.*Version: (§§version§§)" 218 | ], 219 | "hashes" : {} 220 | } 221 | }, 222 | "sessvars": { 223 | "vulnerabilities" : [ 224 | { 225 | "below" : "1.01", 226 | "severity": "low", 227 | "identifiers": {"summary": "Unsanitized data passed to eval()"}, 228 | "info" : [ "http://www.thomasfrank.se/sessionvars.html" ] 229 | } 230 | ], 231 | "extractors" : { 232 | "filename" : [ "sessvars-(§§version§§)(.min)?\\.js"], 233 | "filecontent" : [ "sessvars ver (§§version§§)"], 234 | "hashes" : {} 235 | } 236 | }, 237 | "YUI" : { 238 | "vulnerabilities" : [ 239 | { 240 | "atOrAbove" : "3.5.0" , 241 | "below" : "3.9.2", 242 | "severity": "high", 243 | "identifiers": {"CVE": "CVE-2013-4942"}, 244 | "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4942/" ] 245 | }, 246 | { 247 | "atOrAbove" : "3.2.0" , 248 | "below" : "3.9.2", 249 | "severity": "high", 250 | "identifiers": {"CVE": "CVE-2013-4941"}, 251 | "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4941/" ] 252 | }, 253 | { 254 | "below" : "3.10.3", 255 | "severity": "high", 256 | "identifiers": {"CVE": "CVE-2013-4940"}, 257 | "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4940/" ] 258 | }, 259 | { 260 | "atOrAbove" : "3.0.0" , 261 | "below" : "3.9.2", 262 | "severity": "high", 263 | "identifiers": {"CVE": "CVE-2013-4939"}, 264 | "info" : [ "http://www.cvedetails.com/cve/CVE-2013-4939/" ] 265 | }, 266 | { 267 | "atOrAbove" : "2.8.0" , 268 | "below" : "2.9.1", 269 | "severity": "high", 270 | "identifiers": {"CVE": "CVE_2012-5883"}, 271 | "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5883/" ] 272 | }, 273 | { 274 | "atOrAbove" : "2.5.0" , 275 | "below" : "2.9.1", 276 | "severity": "high", 277 | "identifiers": {"CVE": "CVE-2012-5882"}, 278 | "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5882/" ] 279 | }, 280 | { 281 | "atOrAbove" : "2.4.0" , 282 | "below" : "2.9.1", 283 | "severity": "high", 284 | "identifiers": {"CVE": "CVE-2012-5881"}, 285 | "info" : [ "http://www.cvedetails.com/cve/CVE-2012-5881/" ] 286 | }, 287 | { 288 | "below" : "2.9.0", 289 | "severity": "medium", 290 | "identifiers": {"CVE": "CVE-2010-4710"}, 291 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4710/" ] 292 | }, 293 | { 294 | "atOrAbove" : "2.8.0" , 295 | "below" : "2.8.2", 296 | "severity": "high", 297 | "identifiers": {"CVE": "CVE-2010-4209"}, 298 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4209/" ] 299 | }, 300 | { 301 | "atOrAbove" : "2.5.0" , 302 | "below" : "2.8.2", 303 | "severity": "high", 304 | "identifiers": {"CVE": "CVE-2010-4208"}, 305 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4208/" ] 306 | }, 307 | { 308 | "atOrAbove" : "2.4.0" , 309 | "below" : "2.8.2", 310 | "severity": "high", 311 | "identifiers": {"CVE": "CVE-2010-4207"}, 312 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-4207/" ] 313 | } 314 | ], 315 | "extractors" : { 316 | "func" : [ "YUI.Version" ], 317 | "filename" : [ "yui-(§§version§§)(.min)?\\.js"], 318 | "filecontent" : [ "YUI (§§version§§)", "/yui/license.(?:html|txt)\nversion: (§§version§§)"], 319 | "hashes" : {} 320 | } 321 | }, 322 | "prototypejs" : { 323 | "vulnerabilities" : [ 324 | { 325 | "atOrAbove" : "1.6.0", 326 | "below" : "1.6.0.2", 327 | "severity": "high", 328 | "identifiers": {"CVE": "CVE-2008-7220"}, 329 | "info" : [ "http://www.cvedetails.com/cve/CVE-2008-7220/" ] }, 330 | { 331 | "below" : "1.5.1.2", 332 | "severity": "high", 333 | "identifiers": {"CVE": "CVE-2008-7220"}, 334 | "info" : [ "http://www.cvedetails.com/cve/CVE-2008-7220/" ] } 335 | ], 336 | "extractors" : { 337 | "func" : [ "Prototype.Version" ], 338 | "uri" : [ "/(§§version§§)/prototype(\\.min)?\\.js" ], 339 | "filename" : [ "prototype-(§§version§§)(.min)?\\.js" ], 340 | "filecontent" : [ "Prototype JavaScript framework, version (§§version§§)", 341 | "Prototype[ ]?=[ ]?\\{[ \r\n\t]*Version:[ ]?(?:'|\")(§§version§§)(?:'|\")" ], 342 | "hashes" : {} 343 | } 344 | }, 345 | "ember" : { 346 | "vulnerabilities" : [ 347 | { 348 | "atOrAbove" : "1.3.0-*", 349 | "below" : "1.3.2", 350 | "severity": "medium", 351 | "identifiers": {"CVE": "CVE-2014-0046"}, 352 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ] 353 | }, 354 | { 355 | "atOrAbove" : "1.2.0-*", 356 | "below" : "1.2.2", 357 | "severity": "medium", 358 | "identifiers": {"CVE": "CVE-2014-0046"}, 359 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ" ] }, 360 | { 361 | "atOrAbove" : "1.4.0-*", 362 | "below" : "1.4.0-beta.2", 363 | "severity": "high", 364 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, 365 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] 366 | }, 367 | { 368 | "atOrAbove" : "1.3.0-*", 369 | "below" : "1.3.1", 370 | "severity": "high", 371 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, 372 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] 373 | }, 374 | { 375 | "atOrAbove" : "1.2.0-*", 376 | "below" : "1.2.1", 377 | "severity": "high", 378 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, 379 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] 380 | }, 381 | { 382 | "atOrAbove" : "1.1.0-*", 383 | "below" : "1.1.3", 384 | "severity": "high", 385 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, 386 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] 387 | }, 388 | { 389 | "atOrAbove" : "1.0.0-*", 390 | "below" : "1.0.1", 391 | "severity": "high", 392 | "identifiers": {"CVE": ["CVE-2014-0013", "CVE-2014-0014"]}, 393 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4", "https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4" ] 394 | }, 395 | { 396 | "atOrAbove" : "1.0.0-rc.1", 397 | "below" : "1.0.0-rc.1.1", 398 | "severity": "medium", 399 | "identifiers": {"CVE": "CVE-2013-4170"}, 400 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 401 | }, 402 | { 403 | "atOrAbove" : "1.0.0-rc.2", 404 | "below" : "1.0.0-rc.2.1", 405 | "severity": "medium", 406 | "identifiers": {"CVE": "CVE-2013-4170"}, 407 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 408 | }, 409 | { 410 | "atOrAbove" : "1.0.0-rc.3", 411 | "below" : "1.0.0-rc.3.1", 412 | "severity": "medium", 413 | "identifiers": {"CVE": "CVE-2013-4170"}, 414 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 415 | }, 416 | { 417 | "atOrAbove" : "1.0.0-rc.4", 418 | "below" : "1.0.0-rc.4.1", 419 | "severity": "medium", 420 | "identifiers": {"CVE": "CVE-2013-4170"}, 421 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 422 | }, 423 | { 424 | "atOrAbove" : "1.0.0-rc.5", 425 | "below" : "1.0.0-rc.5.1", 426 | "severity": "medium", 427 | "identifiers": {"CVE": "CVE-2013-4170"}, 428 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 429 | }, 430 | { 431 | "atOrAbove" : "1.0.0-rc.6", 432 | "below" : "1.0.0-rc.6.1", 433 | "severity": "medium", 434 | "identifiers": {"CVE": "CVE-2013-4170"}, 435 | "info" : [ "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM" ] 436 | }, 437 | { 438 | "below" : "0.9.7.1", 439 | "info" : [ "https://github.com/emberjs/ember.js/blob/master/CHANGELOG" ] 440 | }, 441 | { 442 | "below" : "0.9.7", 443 | "severity": "high", 444 | "identifiers": { 445 | "bug": "699", 446 | "summary": "Bound attributes aren't escaped properly" 447 | }, 448 | "info" : [ "https://github.com/emberjs/ember.js/issues/699" ] 449 | } 450 | ], 451 | "extractors" : { 452 | "func" : [ "Ember.VERSION" ], 453 | "uri" : [ "/(?:v)?(§§version§§)/ember(\\.min)?\\.js" ], 454 | "filename" : [ "ember-(§§version§§)(\\.min)?\\.js" ], 455 | "filecontent" : [ 456 | "Project: Ember -(?:.*\n){9,11}// Version: v(§§version§§)", 457 | "// Version: v(§§version§§)(.*\n){10,15}(Ember Debug|@module ember|@class ember)", 458 | "Ember.VERSION[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")" 459 | ], 460 | "hashes" : {} 461 | } 462 | }, 463 | "dojo" : { 464 | "vulnerabilities" : [ 465 | { 466 | "atOrAbove" : "0.4", 467 | "below" : "0.4.4", 468 | "severity": "high", 469 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2272"]}, 470 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2272/" ] 471 | }, 472 | { 473 | "atOrAbove" : "1.0", 474 | "below" : "1.0.3", 475 | "severity": "high", 476 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, 477 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] 478 | }, 479 | { 480 | "atOrAbove" : "1.1", 481 | "below" : "1.1.2", 482 | "severity": "high", 483 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, 484 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] 485 | }, 486 | { 487 | "atOrAbove" : "1.2", 488 | "below" : "1.2.4", 489 | "severity": "high", 490 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, 491 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] 492 | }, 493 | { 494 | "atOrAbove" : "1.3", 495 | "below" : "1.3.3", 496 | "severity": "high", 497 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, 498 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] 499 | }, 500 | { 501 | "atOrAbove" : "1.4", 502 | "below" : "1.4.2", 503 | "severity": "high", 504 | "identifiers": {"CVE": ["CVE-2010-2276", "CVE-2010-2274", "CVE-2010-2273"]}, 505 | "info" : [ "http://dojotoolkit.org/blog/dojo-security-advisory", "http://www.cvedetails.com/cve/CVE-2010-2276/", "http://www.cvedetails.com/cve/CVE-2010-2274/", "http://www.cvedetails.com/cve/CVE-2010-2273/" ] 506 | }, 507 | { 508 | "below" : "1.4.2", 509 | "severity": "medium", 510 | "identifiers": {"CVE": "CVE-2010-2275"}, 511 | "info" : [ "http://www.cvedetails.com/cve/CVE-2010-2275/"] 512 | }, 513 | { 514 | "below" : "1.1", 515 | "severity": "medium", 516 | "identifiers": {"CVE": "CVE-2008-6681"}, 517 | "info" : [ "http://www.cvedetails.com/cve/CVE-2008-6681/"] 518 | } 519 | 520 | 521 | ], 522 | "extractors" : { 523 | "func" : [ "dojo.version.toString()" ], 524 | "uri" : [ "/(?:dojo-)?(§§version§§)/dojo(\\.min)?\\.js" ], 525 | "filename" : [ "dojo-(§§version§§)(\\.min)?\\.js" ], 526 | "filecontentreplace" : [ "/dojo.version=\\{major:([0-9]+),minor:([0-9]+),patch:([0-9]+)/$1.$2.$3/"], 527 | "hashes" : { 528 | "73cdd262799aab850abbe694cd3bfb709ea23627" : "1.4.1", 529 | "c8c84eddc732c3cbf370764836a7712f3f873326" : "1.4.0", 530 | "d569ce9efb7edaedaec8ca9491aab0c656f7c8f0" : "1.0.0", 531 | "ad44e1770895b7fa84aff5a56a0f99b855a83769" : "1.3.2", 532 | "8fc10142a06966a8709cd9b8732f7b6db88d0c34" : "1.3.1", 533 | "a09b5851a0a3e9d81353745a4663741238ee1b84" : "1.3.0", 534 | "2ab48d45abe2f54cdda6ca32193b5ceb2b1bc25d" : "1.2.3", 535 | "12208a1e649402e362f528f6aae2c614fc697f8f" : "1.2.0", 536 | "72a6a9fbef9fa5a73cd47e49942199147f905206" : "1.1.1" 537 | } 538 | 539 | } 540 | }, 541 | "angularjs" : { 542 | "vulnerabilities" : [ 543 | { 544 | "below" : "1.2.0", 545 | "severity": "high", 546 | "identifiers": { 547 | "summary": [ 548 | "execution of arbitrary javascript", 549 | "sandboxing fails", 550 | "possible cross-site scripting vulnerabilities" 551 | ] 552 | }, 553 | "info" : [ "https://code.google.com/p/mustache-security/wiki/AngularJS" ] 554 | }, 555 | { 556 | "below" : "1.2.19", 557 | "severity": "medium", 558 | "identifiers": { 559 | "release": "1.3.0-beta.14", 560 | "summary": "execution of arbitrary javascript" 561 | }, 562 | "info" : [ "https://github.com/angular/angular.js/blob/b3b5015cb7919708ce179dc3d6f0d7d7f43ef621/CHANGELOG.md" ] 563 | }, 564 | { 565 | "below" : "1.2.24", 566 | "severity": "medium", 567 | "identifiers": { 568 | "commit": "b39e1d47b9a1b39a9fe34c847a81f589fba522f8", 569 | "summary": "execution of arbitrary javascript" 570 | }, 571 | "info" : [ "http://avlidienbrunn.se/angular.txt", "https://github.com/angular/angular.js/commit/b39e1d47b9a1b39a9fe34c847a81f589fba522f8"] 572 | }, 573 | { 574 | "atOrAbove" : "1.3.0-beta.1", 575 | "below" : "1.3.0-beta.14", 576 | "severity": "medium", 577 | "identifiers": { 578 | "commit": "b39e1d47b9a1b39a9fe34c847a81f589fba522f8", 579 | "summary": "execution of arbitrary javascript" 580 | }, 581 | "info" : [ "https://github.com/angular/angular.js/blob/b3b5015cb7919708ce179dc3d6f0d7d7f43ef621/CHANGELOG.md" ] 582 | }, 583 | { 584 | "atOrAbove" : "1.3.0-beta.1", 585 | "below" : "1.3.0-rc.1", 586 | "severity": "medium", 587 | "identifiers": { 588 | "commit": "b39e1d47b9a1b39a9fe34c847a81f589fba522f8", 589 | "summary": "execution of arbitrary javascript" 590 | }, 591 | "info" : [ "http://avlidienbrunn.se/angular.txt", "https://github.com/angular/angular.js/commit/b39e1d47b9a1b39a9fe34c847a81f589fba522f8"] 592 | } 593 | 594 | ], 595 | "extractors" : { 596 | "func" : [ "angular.version.full" ], 597 | "uri" : [ "/(§§version§§)/angular(\\.min)?\\.js" ], 598 | "filename" : [ "angular(?:js)?-(§§version§§)(.min)?\\.js" ], 599 | "filecontent" : [ "/\\*[ \n]+AngularJS v(§§version§§)" ], 600 | "hashes" : {} 601 | } 602 | }, 603 | "backbone.js" : { 604 | "vulnerabilities" : [ 605 | { 606 | "below" : "0.5.0", 607 | "severity": "medium", 608 | "identifiers": { 609 | "release": "0.5.0", 610 | "summary": "cross-site scripting vulnerability" 611 | }, 612 | "info" : [ "http://backbonejs.org/#changelog" ] 613 | } 614 | ], 615 | "extractors" : { 616 | "func" : [ "Backbone.VERSION" ], 617 | "uri" : [ "/(§§version§§)/backbone(\\.min)?\\.js" ], 618 | "filename" : [ "backbone(?:js)?-(§§version§§)(.min)?\\.js" ], 619 | "filecontent" : [ "//[ ]+Backbone.js (§§version§§)", "a=t.Backbone={}}a.VERSION=\"(§§version§§)\"" ], 620 | "hashes" : {} 621 | } 622 | }, 623 | "mustache.js" : { 624 | "vulnerabilities" : [ 625 | { 626 | "below" : "0.3.1", 627 | "severity": "high", 628 | "identifiers": { 629 | "bug": "112", 630 | "summary": "execution of arbitrary javascript" 631 | }, 632 | "info" : [ "https://github.com/janl/mustache.js/issues/112" ] } ], 633 | "extractors" : { 634 | "func" : [ "Mustache.version" ], 635 | "uri" : [ "/(§§version§§)/mustache(\\.min)?\\.js" ], 636 | "filename" : [ "mustache(?:js)?-(§§version§§)(.min)?\\.js" ], 637 | "filecontent" : [ "name:\"mustache.js\",version:\"(§§version§§)\"", 638 | "[^a-z]mustache.version[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")", 639 | "exports.name[ ]?=[ ]?\"mustache.js\";[\n ]*exports.version[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\");" 640 | ], 641 | "hashes" : {} 642 | } 643 | }, 644 | "handlebars.js" : { 645 | "vulnerabilities" : [ 646 | { 647 | "below" : "1.0.0.beta.3", 648 | "severity": "medium", 649 | "identifiers": { 650 | "summary": "poorly sanitized input passed to eval()" 651 | }, 652 | "info" : [ "https://github.com/wycats/handlebars.js/pull/68" ] } ], 653 | "extractors" : { 654 | "func" : [ "Handlebars.VERSION" ], 655 | "uri" : [ "/(§§version§§)/handlebars(\\.min)?\\.js" ], 656 | "filename" : [ "handlebars(?:js)?-(§§version§§)(.min)?\\.js" ], 657 | "filecontent" : [ "Handlebars.VERSION = \"(§§version§§)\";", "Handlebars=\\{VERSION:(?:'|\")(§§version§§)(?:'|\")", 658 | "this.Handlebars=\\{\\};[\n\r \t]+\\(function\\([a-z]\\)\\{[a-z].VERSION=(?:'|\")(§§version§§)(?:'|\")" 659 | ], 660 | "hashes" : {} 661 | } 662 | }, 663 | "easyXDM" : { 664 | "vulnerabilities" : [ 665 | { 666 | "below" : "2.4.18", 667 | "severity": "high", 668 | "identifiers": {"CVE": "CVE-2013-5212"}, 669 | "info" : [ "http://blog.kotowicz.net/2013/09/exploiting-easyxdm-part-1-not-usual.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5212" ] 670 | }, 671 | { 672 | "below" : "2.4.19", 673 | "severity": "high", 674 | "identifiers": {"CVE": "CVE-2014-1403"}, 675 | "info" : [ "http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1403" ] 676 | } 677 | ], 678 | "extractors" : { 679 | "uri" : [ "/(easyXDM-)?(§§version§§)/easyXDM(\\.min)?\\.js" ], 680 | "filename" : [ "easyXDM-(§§version§§)(.min)?\\.js" ], 681 | "filecontent" : [ " \\* easyXDM\n \\* http://easyxdm.net/(?:\r|\n|.)+version:\"(§§version§§)\"", 682 | "@class easyXDM(?:.|\r|\n)+@version (§§version§§)(\r|\n)" ], 683 | "hashes" : { "cf266e3bc2da372c4f0d6b2bd87bcbaa24d5a643" : "2.4.6"} 684 | } 685 | }, 686 | 687 | "plupload" : { 688 | "vulnerabilities" : [ 689 | { 690 | "below" : "1.5.4", 691 | "severity": "high", 692 | "identifiers": {"CVE": "CVE-2012-2401"}, 693 | "info" : [ "http://www.cvedetails.com/cve/CVE-2012-2401/" ] 694 | }, 695 | { 696 | "below" : "1.5.5", 697 | "severity": "high", 698 | "identifiers": {"CVE": "CVE-2013-0237"}, 699 | "info" : [ "http://www.cvedetails.com/cve/CVE-2013-0237/" ] 700 | } 701 | ], 702 | "extractors" : { 703 | "func" : [ "plupload.VERSION" ], 704 | "uri" : [ "/(§§version§§)/plupload(\\.min)?\\.js" ], 705 | "filename" : [ "plupload-(§§version§§)(.min)?\\.js" ], 706 | "filecontent" : [ "\\* Plupload - multi-runtime File Uploader(\r|\n)+ \\* v§§version§§", 707 | "var g=\\{VERSION:\"§§version§§\",.*;window.plupload=g\\}" 708 | ], 709 | "hashes" : {} 710 | } 711 | }, 712 | 713 | "DOMPurify" : { 714 | "vulnerabilities" : [ 715 | { 716 | "below" : "0.6.1", 717 | "severity": "medium", 718 | "identifiers": { }, 719 | "info" : [ "https://github.com/cure53/DOMPurify/releases/tag/0.6.1" ] 720 | } 721 | ], 722 | "extractors" : { 723 | "func" : [ "DOMPurify.version" ], 724 | "filecontent" : [ "DOMPurify.version = '§§version§§';" ], 725 | "hashes" : {} 726 | } 727 | }, 728 | 729 | "jquery.datatables" : { 730 | "vulnerabilities" : [ 731 | { 732 | "below" : "1.10.10", 733 | "identifiers" : { 734 | "summary" : "possible XSS" 735 | }, 736 | "info" : [ "https://github.com/DataTables/DataTables/commit/6f67df2d21f9858ec40a6e9565c3a653cdb691a6" ] 737 | }, 738 | { 739 | "below" : "1.10.8", 740 | "identifiers" : { 741 | "CVE" : [ "CVE-2015-6584" ], 742 | "summary" : "XSS" 743 | }, 744 | "info" : [ "https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d", "https://www.invicti.com/web-applications-advisories/cve-2015-6384-xss-vulnerability-identified-in-datatables/" ] 745 | } 746 | 747 | ], 748 | "extractors" : { 749 | "uri": [ "/(§§version§§)/(js/)?jquery.dataTables.min.js" ], 750 | "filename" : [ "jquery.dataTables-(§§version§§)(\\.min)?\\.js" ], 751 | "filecontent" : [ "http://www.datatables.net\n +DataTables (§§version§§)", "u.version=\"(§§version§§)\";u.settings=[];u.models={};u.models.oSearch" ], 752 | "func" : [ "DataTable && DataTable.version" ] 753 | } 754 | }, 755 | 756 | "sample-with-bad-regex": { 757 | "vulnerabilities" : [ 758 | { "below" : "0.0.BAD", "info" : [ "https://github.com/h3xstream/burp-retire-js/issues/73" ] } 759 | ], 760 | "extractors" : { 761 | "filecontent" : [ "?[[[ Intentionally wrong regex that should be logged andignored" ], 762 | "hashes" : {} 763 | } 764 | }, 765 | 766 | 767 | 768 | "dont check" : { 769 | "extractors" : { 770 | "uri" : [ 771 | "^http[s]?://(ssl|www).google-analytics.com/ga.js", 772 | "^http[s]?://apis.google.com/js/plusone.js", 773 | "^http[s]?://cdn.cxense.com/cx.js" 774 | ] 775 | } 776 | } 777 | } -------------------------------------------------------------------------------- /retirejs-maven-plugin/pom.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | 9 | com.h3xstream.retirejs 10 | retirejs-root-pom 11 | 3.0.3 12 | 13 | 14 | 4.0.0 15 | 16 | com.h3xstream.retirejs 17 | retirejs-maven-plugin 18 | maven-plugin 19 | 20 | Retire.js Maven Verifier 21 | 22 | 23 | 24 | UTF-8 25 | UTF-8 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | org.apache.maven.plugins 34 | maven-plugin-plugin 35 | 3.5.2 36 | 37 | true 38 | 39 | 40 | 41 | mojo-descriptor 42 | 43 | descriptor 44 | 45 | 46 | 47 | help-goal 48 | 49 | helpmojo 50 | 51 | 52 | 53 | 54 | 55 | 56 | org.apache.maven.plugins 57 | maven-javadoc-plugin 58 | 59 | 60 | 61 | goal 62 | a 63 | Goal: 64 | 65 | 66 | parameter 67 | a 68 | Parameter: 69 | 70 | 71 | required 72 | a 73 | Required: 74 | 75 | 76 | readonly 77 | a 78 | Read Only: 79 | 80 | 81 | component 82 | a 83 | Component: 84 | 85 | 86 | phase 87 | a 88 | Phase: 89 | 90 | 91 | threadSafe 92 | a 93 | Thread Safe: 94 | 95 | 96 | requiresDependencyResolution 97 | a 98 | Requires Dependency Resolution: 99 | 100 | 101 | requiresProject 102 | a 103 | Requires Project: 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | com.h3xstream.retirejs 116 | retirejs-core 117 | 118 | 119 | 120 | 121 | commons-io 122 | commons-io 123 | 124 | 125 | 126 | 127 | org.apache.maven 128 | maven-plugin-api 129 | 130 | 131 | 132 | org.apache.maven 133 | maven-core 134 | 135 | 136 | 137 | 138 | 139 | -------------------------------------------------------------------------------- /retirejs-maven-plugin/src/main/java/com/h3xstream/retirejs/MavenDownloader.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs; 2 | 3 | import com.h3xstream.retirejs.repo.dl.Downloader; 4 | import org.apache.commons.io.IOUtils; 5 | import org.apache.maven.artifact.manager.WagonConfigurationException; 6 | import org.apache.maven.artifact.manager.WagonManager; 7 | import org.apache.maven.plugin.logging.Log; 8 | import org.apache.maven.wagon.ConnectionException; 9 | import org.apache.maven.wagon.UnsupportedProtocolException; 10 | import org.apache.maven.wagon.Wagon; 11 | import org.apache.maven.wagon.authentication.AuthenticationException; 12 | import org.apache.maven.wagon.repository.Repository; 13 | 14 | import java.io.*; 15 | import java.net.MalformedURLException; 16 | import java.net.URL; 17 | 18 | /** 19 | * Wagon is the API for Maven to download artifact or file from a Maven repository. 20 | * 21 | * When a resource is fetch "/com/test-company/artifact/1.3.3.7/pom.xml", it will prefix the repository URL. 22 | * 23 | * This API is use because it take care of Maven proxy configuration. 24 | */ 25 | public class MavenDownloader implements Downloader { 26 | 27 | private Log log; 28 | private WagonManager wagonManager; 29 | 30 | 31 | public MavenDownloader(final Log log, final WagonManager wagonManager) throws WagonConfigurationException, UnsupportedProtocolException, ConnectionException, AuthenticationException { 32 | this.log = log; 33 | this.wagonManager = wagonManager; 34 | } 35 | 36 | @Override 37 | public void downloadUrlToFile(String url, File file) throws Exception { 38 | if (url == null || url.length() == 0) { 39 | throw new IllegalArgumentException("url is null or empty"); 40 | } 41 | 42 | URL u = new URL(url); 43 | 44 | if(u.getProtocol().equals("http") || u.getProtocol().equals("https")) { 45 | log.debug("Downloading from the web : "+url); 46 | String prefixUrl = u.getProtocol()+"://"+u.getHost()+"/"; 47 | Repository repo = new Repository(prefixUrl, prefixUrl); 48 | 49 | Wagon w = wagonManager.getWagon(repo); 50 | 51 | w.connect(repo, wagonManager.getProxy(repo.getProtocol())); 52 | if(url.startsWith(prefixUrl)) { 53 | url = url.replace(prefixUrl,""); 54 | } 55 | w.get(url, file); 56 | } 57 | else if(u.getProtocol().equals("file")) { 58 | log.debug("Downloading from the local file : "+url); 59 | 60 | try(OutputStream outputStream = new FileOutputStream(file)) { 61 | IOUtils.copy(u.openStream(), outputStream); 62 | } 63 | } 64 | else { 65 | throw new IllegalArgumentException("Protocol " + u.getProtocol() + " is not supported."); 66 | } 67 | } 68 | 69 | } 70 | -------------------------------------------------------------------------------- /retirejs-maven-plugin/src/main/java/com/h3xstream/retirejs/RetireJsScan.java: -------------------------------------------------------------------------------- 1 | package com.h3xstream.retirejs; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.h3xstream.retirejs.repo.JsLibrary; 5 | import com.h3xstream.retirejs.repo.JsLibraryResult; 6 | import com.h3xstream.retirejs.repo.ScannerFacade; 7 | import com.h3xstream.retirejs.repo.VulnerabilitiesRepository; 8 | import com.h3xstream.retirejs.repo.VulnerabilitiesRepositoryLoader; 9 | import org.apache.commons.io.IOUtils; 10 | import org.apache.maven.artifact.manager.WagonConfigurationException; 11 | import org.apache.maven.artifact.manager.WagonManager; 12 | import org.apache.maven.model.Resource; 13 | import org.apache.maven.plugin.AbstractMojo; 14 | import org.apache.maven.plugin.MojoExecutionException; 15 | import org.apache.maven.plugin.MojoFailureException; 16 | import org.apache.maven.project.MavenProject; 17 | import org.apache.maven.wagon.ConnectionException; 18 | import org.apache.maven.wagon.UnsupportedProtocolException; 19 | import org.apache.maven.wagon.authentication.AuthenticationException; 20 | 21 | import java.io.File; 22 | import java.io.FileInputStream; 23 | import java.io.IOException; 24 | import java.util.ArrayList; 25 | import java.util.HashSet; 26 | import java.util.List; 27 | import java.util.Set; 28 | 29 | /** 30 | *

31 | * Scan the JavaScript files of the selected project to identify vulnerable JavaScript libraries. 32 | *

33 | *

34 | * The original Retire.js project is open-source and maintained by Erlend Oftedal (Bekk Consulting). 35 | * For more information about the project visit: http://bekk.github.io/retire.js/. 36 | *

37 | * 38 | * @goal scan 39 | */ 40 | public class RetireJsScan extends AbstractMojo { 41 | 42 | /** 43 | * This flag will make the build fail if at least one library is found vulnerable. 44 | * It can be useful to create automate verification using a build server such as Jenkins. 45 | * @parameter property = "retireJsBreakOnFailure" defaultValue = false 46 | */ 47 | protected boolean breakOnFailure; 48 | 49 | /** 50 | * This parameter will override the default public repo URL with the one specified. 51 | * @parameter property = "retireJsRepoUrl" 52 | */ 53 | protected String repoUrl; 54 | 55 | /** 56 | * The Maven Project. (Inject component) 57 | * 58 | * @parameter property="project" 59 | * @required 60 | * @readonly 61 | * @since 1.0-alpha-1 62 | */ 63 | protected MavenProject project; 64 | 65 | /** 66 | * @component 67 | * @since 1.0-alpha-3 68 | */ 69 | protected WagonManager wagonManager; 70 | 71 | /** 72 | * Directory containing web resources files (by default src/main/webapp) 73 | * 74 | * @parameter property = "retireWebAppDir" default-value="${basedir}/src/main/webapp" 75 | * @required 76 | */ 77 | protected File webAppDirectory; 78 | 79 | private VulnerabilitiesRepository repo; 80 | 81 | 82 | private void initMiniLog() { 83 | Log.setLogger(new Log.Logger() { 84 | @Override 85 | public void log(int level, String category, String message, Throwable ex) { 86 | switch(level) { 87 | case 1: //TRACE 88 | case 2: //DEBUG 89 | case 3: //INFO 90 | getLog().debug(message); 91 | break; 92 | case 4: //WARN 93 | getLog().warn(message); 94 | break; 95 | case 5: //ERROR 96 | getLog().error(message,ex); 97 | } 98 | } 99 | }); 100 | Log.DEBUG(); 101 | } 102 | 103 | @Override 104 | public void execute() throws MojoExecutionException, MojoFailureException { 105 | initMiniLog(); 106 | 107 | List completeResults = new ArrayList(); 108 | 109 | if (repoUrl == null || repoUrl.length() == 0) { 110 | getLog().debug("Using default URL: "+VulnerabilitiesRepositoryLoader.REPO_URL); 111 | repoUrl = VulnerabilitiesRepositoryLoader.REPO_URL; 112 | } 113 | 114 | try { 115 | repo = new VulnerabilitiesRepositoryLoader().load(repoUrl,new MavenDownloader(getLog(),wagonManager)); 116 | } catch (Exception e) { 117 | throw new RuntimeException(e); 118 | } 119 | 120 | try { 121 | //Scanning resources 122 | Set allResources = new HashSet(); 123 | allResources.addAll(project.getResources()); 124 | allResources.addAll(project.getTestResources()); 125 | 126 | for(Resource res : allResources) { 127 | if(res.getDirectory() == null) continue; 128 | File sourceDir = new File(res.getDirectory()); 129 | if(sourceDir.exists()) { 130 | getLog().debug("Scanning directory: "+sourceDir.toString()); 131 | scanDirectory(sourceDir, completeResults); 132 | } 133 | } 134 | 135 | //WebApp directory 136 | if (webAppDirectory == null) { 137 | getLog().debug("Not scanning webAppDirectory since it's null."); 138 | } else if (!webAppDirectory.exists()) { 139 | getLog().debug("Not scanning webAppDirectory (" 140 | + webAppDirectory.getAbsolutePath() 141 | + ") since it doesn't exist."); 142 | } else { 143 | getLog().info("Scanning directory: " + webAppDirectory.toString()); 144 | scanDirectory(webAppDirectory, completeResults); 145 | } 146 | 147 | //Source code 148 | 149 | Set allSources = new HashSet(); 150 | allSources.addAll(project.getCompileSourceRoots()); 151 | allSources.addAll(project.getTestCompileSourceRoots()); 152 | allSources.addAll(project.getScriptSourceRoots()); 153 | 154 | for(String path : allSources) { 155 | File sourceDir = new File(path); 156 | if(sourceDir.exists()) { 157 | getLog().debug("Scanning directory: "+sourceDir.toString()); 158 | scanDirectory(sourceDir, completeResults); 159 | } 160 | } 161 | } 162 | catch (Exception e) { 163 | throw new MojoExecutionException("Unable to scan the file ",e); 164 | } 165 | 166 | if(breakOnFailure && completeResults.size()>0) { 167 | throw new MojoFailureException(String.format("%d known vulnerabilitie%s were identified in the JavaScript libraries.", 168 | completeResults.size(), 169 | completeResults.size()>1?"s":"")); 170 | } 171 | } 172 | 173 | 174 | protected void scanDirectory(File directory,List results) throws IOException { 175 | for(File child : directory.listFiles()) { 176 | if(child.isDirectory()) { 177 | scanDirectory(child,results); 178 | } 179 | else { 180 | if(isJavaScriptFile(child)) { 181 | scanJavaScriptFile(child,results); 182 | } 183 | } 184 | } 185 | } 186 | 187 | protected boolean isJavaScriptFile(File child) { 188 | return child.getName().endsWith(".js"); 189 | } 190 | 191 | protected void scanJavaScriptFile(File javascriptFile, List completeResults) throws IOException { 192 | getLog().debug("Scanning " + javascriptFile.getCanonicalFile()); 193 | 194 | //Scan 195 | byte[] fileContent = IOUtils.toByteArray(new FileInputStream(javascriptFile)); 196 | 197 | ScannerFacade scanner = new ScannerFacade(repo); 198 | List results = scanner.scanScript(javascriptFile.getAbsolutePath(),fileContent,0); 199 | completeResults.addAll(results); 200 | 201 | //Display the results 202 | if(results.size()>0) { 203 | getLog().warn(javascriptFile.getName() + " contains a vulnerable JavaScript library."); 204 | getLog().info("Path: " + javascriptFile.getCanonicalPath()); 205 | for (JsLibraryResult libraryResult : results) { 206 | JsLibrary lib = libraryResult.getLibrary(); 207 | getLog().info(lib.getName() + " version " + libraryResult.getDetectedVersion() + " is vulnerable."); 208 | for (String url : libraryResult.getVuln().getInfo()) { 209 | getLog().info("+ " + url); 210 | } 211 | } 212 | } 213 | 214 | } 215 | } 216 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | com.h3xstream.retirejs 8 | retirejs-root-pom 9 | 3.0.3 10 | 11 | 12 | 4.0.0 13 | 14 | com.h3xstream.retirejs 15 | retirejs-zap-plugin 16 | 17 | RetireJS (Zed Attack Proxy Plugin) 18 | 19 | jar 20 | 21 | 22 | 3.0.3 23 | alpha 24 | 25 | 26 | 27 | 28 | 29 | src/main/resources 30 | 31 | 32 | src/main/resources-filtered 33 | true 34 | 35 | 36 | 37 | 38 | 39 | 40 | bigjar 41 | 42 | true 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | maven-assembly-plugin 51 | 52 | 53 | jar-with-dependencies 54 | package 55 | 56 | single 57 | 58 | 59 | 60 | jar-with-dependencies 61 | 62 | retirejs-${zap.addon.status}-${zap.addon.version} 63 | false 64 | 65 | false 66 | 67 | 68 | 69 | 70 | 71 | 72 | com.coderplus.maven.plugins 73 | copy-rename-maven-plugin 74 | 1.0 75 | 76 | 77 | copy-file 78 | package 79 | 80 | copy 81 | 82 | 83 | ${project.build.directory}\retirejs-${zap.addon.status}-${zap.addon.version}.jar 84 | ${project.build.directory}\retirejs-${zap.addon.status}-${zap.addon.version}.zap 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | com.h3xstream.retirejs 102 | retirejs-core 103 | 104 | 105 | 106 | 107 | 108 | commons-httpclient 109 | commons-httpclient 110 | provided 111 | 112 | 113 | commons-configuration 114 | commons-configuration 115 | provided 116 | 117 | 118 | 119 | org.zaproxy 120 | zap 121 | provided 122 | 123 | 124 | 125 | net.htmlparser.jericho 126 | jericho-html 127 | provided 128 | 129 | 130 | 131 | org.apache.logging.log4j 132 | log4j-core 133 | provided 134 | 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/java/org/zaproxy/zap/extension/retirejs/RetireJsScannerPlugin.java: -------------------------------------------------------------------------------- 1 | package org.zaproxy.zap.extension.retirejs; 2 | 3 | import com.esotericsoftware.minlog.Log; 4 | import com.h3xstream.retirejs.repo.JsLibraryResult; 5 | import com.h3xstream.retirejs.repo.ScannerFacade; 6 | import net.htmlparser.jericho.Source; 7 | import org.apache.commons.httpclient.URI; 8 | import org.apache.commons.httpclient.URIException; 9 | import org.apache.log4j.Logger; 10 | import org.parosproxy.paros.core.scanner.Alert; 11 | import org.parosproxy.paros.network.HttpMessage; 12 | import org.parosproxy.paros.network.HttpResponseHeader; 13 | import org.zaproxy.zap.extension.pscan.PassiveScanThread; 14 | import org.zaproxy.zap.extension.pscan.PluginPassiveScanner; 15 | 16 | import java.io.IOException; 17 | import java.util.List; 18 | import org.json.JSONException; 19 | 20 | public class RetireJsScannerPlugin extends PluginPassiveScanner { 21 | 22 | private PassiveScanThread parent = null; 23 | 24 | private static final int PLUGIN_ID = 0x1337BEEF; 25 | 26 | private Logger logger = Logger.getLogger(RetireJsScannerPlugin.class); 27 | 28 | public RetireJsScannerPlugin() { 29 | Log.setLogger(new Log.Logger() { 30 | @Override 31 | public void log(int level, String category, String message, Throwable ex) { 32 | if(ex != null) { 33 | logger.error(message,ex); 34 | } 35 | else { 36 | if (logger.isDebugEnabled()) { 37 | logger.debug(message); 38 | } 39 | } 40 | } 41 | }); 42 | Log.DEBUG(); 43 | } 44 | 45 | 46 | @Override 47 | public void scanHttpRequestSend(HttpMessage httpMessage, int id) { 48 | 49 | } 50 | 51 | @Override 52 | public void scanHttpResponseReceive(HttpMessage httpMessage, int refId, Source source) { 53 | HttpResponseHeader h = httpMessage.getResponseHeader(); 54 | URI uri = httpMessage.getRequestHeader().getURI(); 55 | 56 | try { 57 | String pathQuery = uri.getPathQuery(); 58 | 59 | if(h.isJavaScript() || pathQuery.endsWith(".js")) { 60 | scanJavaScriptFile(pathQuery, refId, httpMessage); 61 | } 62 | if(h.isHtml() || pathQuery.endsWith(".htm") //Some additional condition just in case the content-type is bogus 63 | || pathQuery.endsWith(".html") 64 | || pathQuery.endsWith(".aspx") 65 | || pathQuery.endsWith(".asp") 66 | || pathQuery.endsWith(".php") 67 | || pathQuery.endsWith(".jsp")) { 68 | scanHtmlFile(pathQuery, refId, httpMessage); 69 | } 70 | } catch (URIException e) { 71 | logger.error("Unable to scan the script '"+uri.toString()+"': "+e.getMessage(),e); 72 | } catch (IOException | JSONException e) { 73 | logger.error("Unable to scan the script '"+uri.toString()+"': "+e.getMessage(),e); 74 | } 75 | } 76 | 77 | private void scanJavaScriptFile(String scriptName,int refId,HttpMessage httpMessage) throws IOException, JSONException { 78 | List librariesVuln = ScannerFacade.getInstance().scanScript(scriptName, httpMessage.getResponseBody().getBytes(), 0); 79 | for(JsLibraryResult libVuln : librariesVuln) { 80 | Alert newAlert = ZapIssueCreator.convertBugToAlert(PLUGIN_ID, libVuln, httpMessage); 81 | this.parent.raiseAlert(refId, newAlert); 82 | } 83 | } 84 | private void scanHtmlFile(String scriptName,int refId,HttpMessage httpMessage) throws IOException, JSONException { 85 | List librariesVuln = ScannerFacade.getInstance().scanHtml(httpMessage.getResponseBody().getBytes(), 0); 86 | for(JsLibraryResult libVuln : librariesVuln) { 87 | Alert newAlert = ZapIssueCreator.convertBugToAlert(PLUGIN_ID, libVuln, httpMessage); 88 | this.parent.raiseAlert(refId, newAlert); 89 | } 90 | } 91 | 92 | @Override 93 | public void setParent(PassiveScanThread thread) { 94 | this.parent = thread; 95 | } 96 | 97 | @Override 98 | public String getName() { 99 | return "Retire.js"; 100 | } 101 | 102 | @Override 103 | public int getPluginId() { 104 | return PLUGIN_ID; 105 | } 106 | } 107 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/java/org/zaproxy/zap/extension/retirejs/ZapIssueCreator.java: -------------------------------------------------------------------------------- 1 | package org.zaproxy.zap.extension.retirejs; 2 | 3 | import com.h3xstream.retirejs.repo.JsLibraryResult; 4 | import com.h3xstream.retirejs.vuln.TemplateBuilder; 5 | 6 | import org.parosproxy.paros.core.scanner.Alert; 7 | import org.parosproxy.paros.network.HttpMessage; 8 | 9 | import java.util.List; 10 | import java.util.regex.Matcher; 11 | import java.util.regex.Pattern; 12 | 13 | public class ZapIssueCreator { 14 | private static String TEMPLATE_DESC = "/org/zaproxy/zap/extension/retirejs/description.txt"; 15 | private static String TEMPLATE_OTHER_INFO = "/org/zaproxy/zap/extension/retirejs/other_info.txt"; 16 | 17 | public static Alert convertBugToAlert(int pluginId, JsLibraryResult lib, HttpMessage message) { 18 | 19 | String title = String.format("Vulnerable Version of the Library '%s' Found", lib.getLibrary().getName()); 20 | 21 | String description = TemplateBuilder.buildDescription(TEMPLATE_DESC, 22 | lib.getLibrary().getName(), // 23 | lib.getDetectedVersion(), // 24 | lib.getVuln().getInfo(), // 25 | lib.getVuln().getAtOrAbove(), // 26 | lib.getVuln().getBelow()); 27 | 28 | String otherInfo = TemplateBuilder.buildDescription(TEMPLATE_OTHER_INFO, 29 | lib.getLibrary().getName(), // 30 | lib.getDetectedVersion(), // 31 | lib.getVuln().getInfo(), // 32 | lib.getVuln().getAtOrAbove(), // 33 | lib.getVuln().getBelow()); 34 | 35 | Alert alert = new Alert(pluginId, mapToZapSeverity(lib.getVuln().getSeverity()), Alert.CONFIDENCE_MEDIUM, title); 36 | alert.setDetail(description, 37 | message.getRequestHeader().getURI().toString(), 38 | "", //Param 39 | "", //Attack 40 | otherInfo, //Other info 41 | "Update the JavaScript library", //Solution 42 | joinStrings(lib.getVuln().getInfo()), //Only one line is allow 43 | getEvidence(lib, message), //Evidence 44 | -1, //cweId 45 | -1, //wascId 46 | message 47 | ); 48 | return alert; 49 | } 50 | 51 | private static String getEvidence(JsLibraryResult lib, HttpMessage message) { 52 | String evidence = getSpecificEvidence(lib.getRegexResponse(), 53 | message.getResponseBody().toString()); 54 | if (evidence.isEmpty()) { // The match wasn't from the response, try the request URI 55 | evidence = getSpecificEvidence(lib.getRegexRequest(), 56 | message.getRequestHeader().getURI().toString()); 57 | } 58 | return evidence; 59 | } 60 | 61 | private static String getSpecificEvidence(String regex, String content) { 62 | String evidence = ""; 63 | regex = regex == null ? "" : regex; 64 | if (!regex.isEmpty()) { 65 | Matcher matcher = Pattern.compile(regex).matcher(content); 66 | if (matcher.find()) { 67 | evidence = matcher.group(0); 68 | } 69 | } 70 | return evidence; 71 | } 72 | 73 | private static int mapToZapSeverity(String severity) { 74 | String severityLower = severity.toLowerCase(); 75 | if(severityLower.equals("high")) { 76 | return Alert.RISK_HIGH; 77 | } 78 | else if (severityLower.equals("medium")) { 79 | return Alert.RISK_MEDIUM; 80 | } 81 | else if (severityLower.equals("low")) { 82 | return Alert.RISK_LOW; 83 | } 84 | else if (severityLower.equals("info")) { 85 | return Alert.RISK_INFO; 86 | } 87 | 88 | return Alert.RISK_MEDIUM; 89 | } 90 | 91 | private static String joinStrings(List info) { 92 | StringBuilder buffer = new StringBuilder(); 93 | for(String link : info) { 94 | buffer.append(link).append('\n'); 95 | } 96 | return buffer.toString(); 97 | } 98 | 99 | public static String getFileRequested(String path) { 100 | int lastSlash = path.lastIndexOf('/'); 101 | if(lastSlash < 0) lastSlash = 0; 102 | return path.substring(lastSlash+1); 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/resources-filtered/ZapAddOn.xml: -------------------------------------------------------------------------------- 1 | 2 | Retire.js 3 | ${zap.addon.version} 4 | ${zap.addon.status} 5 | Identify vulnerable JavaScript libraries 6 | Philippe Arteau (h3xStream) 7 | https://github.com/h3xstream/burp-retire-js 8 | 9 | 10 | 11 | 12 | 13 | org.zaproxy.zap.extension.retirejs.RetireJsScannerPlugin 14 | 15 | 16 | 17 | 2.6.0 18 | 19 | 20 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/resources/org/zaproxy/zap/extension/retirejs/Messages.properties: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h3xstream/burp-retire-js/bd06f7d9f6802b02c693947f67814eb711ac3378/retirejs-zap-plugin/src/main/resources/org/zaproxy/zap/extension/retirejs/Messages.properties -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/resources/org/zaproxy/zap/extension/retirejs/description.txt: -------------------------------------------------------------------------------- 1 | The library {{detectedLibrary}} version {{detectedVersion}} has known security issues. 2 | -------------------------------------------------------------------------------- /retirejs-zap-plugin/src/main/resources/org/zaproxy/zap/extension/retirejs/other_info.txt: -------------------------------------------------------------------------------- 1 | The vulnerability is affecting all versions prior {{belowVersion}} (between {{aboveVersion}} and {{belowVersion}}) -------------------------------------------------------------------------------- /test-samples/external.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | This is a test page. 12 | 13 | 14 | -------------------------------------------------------------------------------- /test-samples/http_server.py: -------------------------------------------------------------------------------- 1 | import SimpleHTTPServer 2 | import SocketServer 3 | 4 | Handler = SimpleHTTPServer.SimpleHTTPRequestHandler 5 | httpd = SocketServer.TCPServer(("", 8000), Handler) 6 | 7 | print("Server started") 8 | httpd.serve_forever() 9 | --------------------------------------------------------------------------------