New jQuery vulnerability check for ZAP
580 views
Skip to first unread message
Aaron Bryson
Jan 18, 2015, 5:24:52 PM1/18/15
to zaproxy...@googlegroups.com
I got this idea from testing and I have seen this a few times at different clients now that I think it warrants automation. It would be great if we could detect outdated version of jQuery.
Here is an example below on how detection would work. Basically ZAP would request the common default file names found in a default jQuery install. It would be then parse the response for version information for vulnerable/outdated versions.
![]()
REQUEST
GET /jquery/js/jquery-ui.custom.min.js HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: https://companystore.example.com/index Cookie: JSESSIONID=a5x3Al2vx3uJg5YCgpFuwaR3.undefined; account_id=1 Host: companystore.example.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */*
RESPONSE
HTTP/1.1 200 OK Date: Tue, 02 Dec 2014 17:53:09 GMT Server: Apache/2.2.15 (CentOS) Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 18:00:00 CST P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND" Accept-Ranges: bytes ETag: W/"207694-1409379728000" Last-Modified: Sat, 30 Aug 2014 06:22:08 GMT Content-Length: 207694 Connection: close Content-Type: text/javascript;charset=UTF-8
RESPONSE BODY
Vulnerability Report Information (example, feel free to modify this for ZAP to what you feel is best)
Name: Vulnerable Javascript Library
Description: You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Details: This vulnerability affects /jquery/js/jquery-ui.custom.min.js.
How to fix this vulnerability: Upgrade to the latest version.
Web references: http://bugs.jqueryui.com/ticket/6016
Classification:
| CWE | CWE-16 |
| CVSS | Base Score: 6.4 |
gmaran23
Jan 19, 2015, 2:36:13 AM1/19/15
to zaproxy...@googlegroups.com
Aaron,
A zap add-on does the similar thing. Details : https://twitter.com/zaproxy/status/537565407058878464
psiinon
Jan 19, 2015, 9:54:46 AM1/19/15
to zaproxy...@googlegroups.com
We also have a Retire.ja add-on: https://groups.google.com/d/msg/zaproxy-users/NESOSkxeuq4/J3lf_17yZ8EJ
That should detect a whole load of out-of-date javascript libs.
Simon
That should detect a whole load of out-of-date javascript libs.
Simon
Reply all
Reply to author
Forward
0 new messages