search

teamdeeson / warden

Warden Server
https://www.deeson.co.uk
GNU General Public License v3.0
51 stars 18 forks source link

Provide Javascript library version information across all sites #96

Closed mikeddeeson closed 7 years ago

mikeddeeson commented 7 years ago

In addition to providing the Javascript version information (as found in #68) is is possible to determine if there are any security issues for that javascript library?

@johnennewdeeson provided several potential resources in the other thread which I have included in this thread also for reference:

These are things (don't know if they are useful things!) https://github.com/npm/npm-registry-client http://registry.npmjs.org/-/package/jquery/dist-tags https://www.exploit-db.com/ https://github.com/offensive-security/exploit-database

That exploit database tool lets you do this

$> ./searchsploit -j jquery
{
  "SEARCH": "jquery",
  "RESULTS": [
        {"Exploit":"jQuery - jui_filter_rules PHP Code Execution"","Path":"./platforms/php/remote/36124.txt","EDB-ID":36124},
        {"Exploit":"jQuery Uploadify 2.1.0 - Arbitrary File Upload"","Path":"./platforms/multiple/webapps/11218.txt","EDB-ID":11218},
        {"Exploit":"WordPress Plugin jQuery Mega Menu 1.0 - Local File Inclusion"","Path":"./platforms/php/webapps/16250.txt","EDB-ID":16250},
        {"Exploit":"JQuery-Real-Person plugin - Bypass captcha"","Path":"./platforms/php/webapps/18167.zip","EDB-ID":18167},
        {"Exploit":"WordPress Plugin 1-jquery-photo-gallery-Slideshow-flash 1.01 - Cross-Site Scripting"","Path":"./platforms/php/webapps/36382.txt","EDB-ID":36382},
        {"Exploit":"WordPress Plugin NextGEN Gallery - 'jqueryFileTree.php' Directory Traversal"","Path":"./platforms/php/webapps/39100.txt","EDB-ID":39100},
        {"Exploit":"BK Mobile jQuery CMS 2.4 - Multiple Vulnerabilities"","Path":"./platforms/php/webapps/39339.txt","EDB-ID":39339}
  ]
}

Also, worth a read:

http://blog.bithound.io/checking-your-npm-dependencies-for-security-vulnerabilities/ https://www.sourceclear.com/

mikeddeeson commented 7 years ago

There is a CVE search available on this site - https://www.circl.lu/services/cve-search/

mikeddeeson commented 7 years ago

The javascript library information is now displayed against a site as well as listed globally so that a user can see what javascript libraries are being used across the sites. Clicking on a library will then show the list of the sites that are using that library and the version of that library.