search

righettod / burp-piper-custom-scripts

Custom scripts for the PIPER Burp extensions.
GNU General Public License v3.0
97 stars 17 forks source link

Feature: Detection of MAP files for SPA main JS bundle #4

Open righettod opened 3 years ago

righettod commented 3 years ago

Describe the feature wanted

Add detection of the map file in the script extract-spa-low-hanging-fruits.py:

//...
//# sourceMappingURL=main.dqfcf86f.chunk.js.map
LewisArdern commented 3 years ago

For this it would be awesome if you leveraged a tool under the hood to also convert the map file back to its original state, this way you would be able to easier perform manual reviews on the code better 👀

righettod commented 3 years ago

Hi,

Thank a lot for the suggestion 👍

In fact, once you know that map files are exposed, the browser do the job for you and you can browse the "recovered" code. It is why I limited the task to "only detect" when map files are present. With the browser, you can set breakpoints so you can explore the code using the browser JS debugger panel as IDE 😃

I have documented that point in my cheat sheet:

image

righettod commented 3 years ago

By the way, I remarked that this features (detection of map files) is already implemented but I have forgotten to reference the issue in the commit 😃 So I close the issue. Thank again a lot for your suggestion. Feel free to ping me if you think that it should be better to have the recovered code directly into Burp (I currently do not know how to achieve it but I will find a way 😄 )

LewisArdern commented 3 years ago

This isn't always possible though @righettod for a lot of reasons, sometimes you have to manually unpack it through resources like: https://github.com/denandz/sourcemapper https://github.com/pavloko/source-map-unpack https://github.com/mozilla/source-map

I haven't looked at it in a while but some webpack bundles failed to unpack via the browser the last time I checked -- this could be different now, I only mentioned this because I am giving a talk and will be referencing your piper scripts for detection :)

LewisArdern commented 3 years ago

My thought process has always been:

But might not be appropriate for most peoples workflows, but it would be a lot cleaner to find issues with the unbundled javascript and easier to read the code

This was done by eslinter https://github.com/parsiya/eslinter similar concept could be used for this workflow aswell <but would probably be a fairly out there approach

righettod commented 3 years ago

OK I reopen the issue 😃