Source Code

Source-code analysis is typically thought of as something that only takes place in a white box, an internal testing scenario, either as part of an automated build chain or as a manual review. But analyzing client-side code available to the browser is also an effective way of looking for vulnerabilities as an outside researcher.

We're specifically going to look at retire (Retire.js), a node module that has both Node and CLI components, and analyzes client-side JavaScript and Node modules for previously-reported vulnerabilities. You can install it easily using npm and then using the global flag (-g) to make it accessible in your $PATH: npm install -g retire. Reporting a bug that may have been discovered in a vendor's software, but still requires addressing/patching in a company's web application, will often merit a reward. The easy-to-use CLI of retire makes it simple to write short, purpose-driven scripts in the Unix style. We'll be using it to elaborate on a general philosophy of pentesting automation.

retire --help shows you the general contour of functionality:

Let's test it against an old project of mine written in Angular and node:

retire --path ~/Code/Essences/demo

It's a little hard to read. And the attempt to show the vulnerable modules within their nested dependencies makes it even harder:

But we can use some of its available flags to rectify this. As we pass in options to output the data in the json format and specify the name of the file we want to save, we can also wrap it in a script to make it a handier reference from the command line. Let's make a script called scanjs.sh:

#!/bin/sh

retire --path $1 --outputformat json --outputpath $2; python -m json.tool $2

This script requires two arguments, the path to the files being analyzed and a name for the file it will output. Basically the script analyzes the target code repository, creates a json file of the vulnerabilities it discovers, then prints out a pretty version of the json file to STDOUT. The script has two outputs so that it can use the json file as a local flat file log, and the STDOUT output to pass on to the next step, a formatting script.