search

six2dez / reconftw

reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
MIT License
5.74k stars 926 forks source link

enhance js file filter #638

Closed osxtest closed 1 year ago

osxtest commented 1 year ago

Hi @six2dez

Describe the bug

When grep js file from subjs, the regex seems loose:

https://github.com/six2dez/reconftw/blob/0b6f69b4ed58c958b7d08cb6c2cd03a1a3a4e9fc/reconftw.sh#L1444

As a result, there are some .json, .jsp, .jsonp ... files contain in js/url_extract_js.txt.

So I am thinking if we could stricter the regex, e.g.

@@ -1441,7 +1441,7 @@ function jschecks(){
                                axiom-scan js/url_extract_js.txt -m subjs -o .tmp/subjslinks.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" &>/dev/null                                                    
                        fi
                        [ -s ".tmp/subjslinks.txt" ] && cat .tmp/subjslinks.txt | egrep -iv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)" | anew -q js/nojs_links.txt
-                       [ -s ".tmp/subjslinks.txt" ] && cat .tmp/subjslinks.txt | grep -iE "\.js" | anew -q js/url_extract_js.txt
+                       [ -s ".tmp/subjslinks.txt" ] && cat .tmp/subjslinks.txt | grep -iE "\.js($|\?)" | anew -q js/url_extract_js.txt
                        printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n"
osxtest commented 1 year ago

another case I met was no matter what endpoint you visit, the server will all return a 200 OK, so the js/js_livelinks.txt contains so many noises and takes a long time to run. I currently handle this by adding httpx Content-Type filter:

diff --git a/reconftw.sh b/reconftw.sh
index f8f82e4..6befa7c 100755
--- a/reconftw.sh
+++ b/reconftw.sh
@@ -1444,7 +1444,7 @@ function jschecks(){
                        [ -s ".tmp/subjslinks.txt" ] && cat .tmp/subjslinks.txt | grep -iE "\.js" | anew -q js/url_extract_js.txt
                        printf "${yellow} Running : Resolving JS Urls 2/5${reset}\n"
                        if [ ! "$AXIOM" = true ]; then
-                               [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | httpx -follow-redirects -random-agent -silent -timeout $HTTPX_TIMEOUT -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -status-code -retries 2 -no-color | grep "[200]" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt
+                               [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | httpx -follow-redirects -random-agent -silent -timeout $HTTPX_TIMEOUT -threads $HTTPX_THREADS -rl $HTTPX_RATELIMIT -status-code -content-type -retries 2 -no-color | grep "[200]" | grep "javascript" | cut -d ' ' -f1 | anew -q js/js_livelinks.txt
                        else
six2dez commented 1 year ago

Fixed https://github.com/six2dez/reconftw/commit/404129b016d1e6a2aac56b80fdc0d3044d263f86 next time feel free to submit a PR :)