Retire.js regex not working as expected
64 views
Skip to first unread message
penny ZAP
Aug 24, 2021, 9:11:47 PM8/24/21
to OWASP ZAP User Group
Hello,
I installed and updated retire.js addon in order to detect vulnerable Javascript libraries. According to this regex, "* jQuery JavaScript Library v2.1.0" should be detected during the Spider but it is not getting detected. Any leads are appreciated. Thanks :)
I installed and updated retire.js addon in order to detect vulnerable Javascript libraries. According to this regex, "* jQuery JavaScript Library v2.1.0" should be detected during the Spider but it is not getting detected. Any leads are appreciated. Thanks :)
kingthorin+owaspzap
Aug 24, 2021, 9:59:34 PM8/24/21
to OWASP ZAP User Group
Do you have a live or example file we can test against?
Message has been deleted
penny ZAP
Aug 25, 2021, 3:05:38 PM8/25/21
to OWASP ZAP User Group
I noticed that the issue arises when the file size is very huge. It worked well with a smaller file but when the response body spans upto 15MB, it fails. Is there any pscan timeout for big files or are there any file size scan limits enforced in ZAP?
kingthorin+owaspzap
Aug 25, 2021, 8:34:11 PM8/25/21
to OWASP ZAP User Group
"Max body size in bytes to scan"
The jQuery file in question should not be 15MB.
kingthorin+owaspzap
Aug 25, 2021, 8:35:14 PM8/25/21
to OWASP ZAP User Group
https://code.jquery.com/jquery-2.1.0.js is 239k unminified
kingthorin+owaspzap
Aug 25, 2021, 8:42:26 PM8/25/21
to OWASP ZAP User Group
And I've confirmed that it is picked up by the Retire.js add-on/rule.
penny ZAP
Aug 31, 2021, 7:57:05 PM8/31/21
to OWASP ZAP User Group
Figured it out. The issue was not file size, it was multiple Jquery versions in a single file. If there are multiple versions, the regex picks up the first available version and ignores the rest. Is that how its expected to work?
Reply all
Reply to author
Forward
0 new messages