Retire.js regex not working as expected

64 views
Skip to first unread message

penny ZAP

unread,
Aug 24, 2021, 9:11:47 PM8/24/21
to OWASP ZAP User Group
Hello,

I installed and updated retire.js addon in order to detect vulnerable Javascript libraries. According to this regex, "* jQuery JavaScript Library v2.1.0" should be detected during the Spider but it is not getting detected. Any leads are appreciated. Thanks :) 


kingthorin+owaspzap

unread,
Aug 24, 2021, 9:59:34 PM8/24/21
to OWASP ZAP User Group
Do you have a live or example file we can test against?
Message has been deleted

penny ZAP

unread,
Aug 25, 2021, 3:05:38 PM8/25/21
to OWASP ZAP User Group

I noticed that the issue arises when the file size is very huge. It worked well with a smaller file but when the response body spans upto 15MB, it fails. Is there any pscan timeout for big files or are there any file size scan limits enforced in ZAP?

kingthorin+owaspzap

unread,
Aug 25, 2021, 8:34:11 PM8/25/21
to OWASP ZAP User Group
"Max body size in bytes to scan"

The jQuery file in question should not be 15MB.

kingthorin+owaspzap

unread,
Aug 25, 2021, 8:35:14 PM8/25/21
to OWASP ZAP User Group

kingthorin+owaspzap

unread,
Aug 25, 2021, 8:42:26 PM8/25/21
to OWASP ZAP User Group
And I've confirmed that it is picked up by the Retire.js add-on/rule.

Untitled.png

penny ZAP

unread,
Aug 31, 2021, 7:57:05 PM8/31/21
to OWASP ZAP User Group
Figured it out. The issue was not file size, it was multiple Jquery versions in a single file. If there are multiple versions, the regex picks up the first available version and ignores the rest. Is that how its expected to work? 
Reply all
Reply to author
Forward
0 new messages