Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Retire JS Plugin Scanning text/html Files

See original GitHub issue

Describe the bug

In the ZAP logs I sometimes see warnings about slow passive scans for the Vulnerable JS Library rule of text/html files. For example:

321894452 [ZAP-PassiveScanner] WARN  org.zaproxy.zap.extension.pscan.PassiveScanThread - Passive Scan rule Vulnerable JS Library took 384 seconds to scan https://<redacted url>/ text/html; charset=UTF-8 989229

I see in the RetireScanRule code where image files and css files are excluded ( https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java#L66). Is there a reason to be scanning text/html files? It seems like only the JS files are relevant to the scan code (https://github.com/zaproxy/zap-extensions/blob/7b1a80707177aed4c495953b961185382127bdda/addOns/retire/src/main/java/org/zaproxy/addon/retire/model/Repo.java#L84-L89). But I could have missed something.

Thanks!

Expected behavior Expected behavior is for the Vulnerable JS / Retire JS rule to efficiently scan only the relevant file types.

Would you like to help fix this issue? Yes

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
FiveOFivecommented, Dec 10, 2021

Yeah, it would be nice to make some optimizations, as it can be pretty slow sometimes. I can try to look into that.

1reaction
FiveOFivecommented, Dec 9, 2021

Looking into this more, I think we actually do need to scan text/html content because of included vulnerable javascript libraries in script tags of the text/html e.g. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"/>

Also, filtering more strictly on Content-Type would skip responses with incorrect or no Content-Type headers. Currently these would be scanned.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Command line scanner - GitHub
Grunt plugin. Scans the given grunt enabled project for JavaScript files with known vulnerabilities, and breaks if it finds any. See examples on...
Read more >
Retire.js — identify JavaScript libraries with known ... - Bekk
Grunt plugin. Scans the given grunt enabled project for JavaScript files with known vulnerabilities, and breaks if it finds any. See examples on...
Read more >
retire.js
Scan a web app for use of vulnerable JavaScript libraries. The goal of retire.js is to help you detect use of version with...
Read more >
Retire.js
Library From version Up to version AlaSQL ← 0.7.0 angularjs ← 1.8.0 angularjs ← 1.8.0
Read more >
Retire.js - PortSwigger
This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries. It passively looks at JavaScript files ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Stable Docker image still has a log4j vulnerability due to Webswing

Next page

Provide argument based alert messages instead of generic