Retire.js add-on

[Simon Bennetts]

I've just uploaded a new add-on called 'retire' to the ZAP Marketplace.
It uses the Retire.js database to passively detect (and alert) when vulnerable javascript libraries are detected.
As with all new add-ons it marked as alpha quality but my testing has shown it to be robust so far - I'm going to be using it all the time from now on.
Its all thanks to Nikita Mundhada who's been working on this add-on for her student project - nice work Nikita!

Simon

[kingthorin+owaspzap]

Cool, I actually have a current project that this might be perfect for :)

I'll give it a whirl.

[kingthorin+owaspzap]

Ok I'm running 2.3.1 it's not on my Installed tab and it's not in my Marketplace tab either, what gives?

[kingthorin+owaspzap]

Manually downloaded it from: http://sourceforge.net/projects/zaproxy/files/add-ons/

Would still like to know why it doesn't show in marketplace via ZAP.

[thc...@gmail.com]

Hi.

The exact name of the add-on is "Vulnerable JS libraries detection",
isn't/wasn't that showing up?

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

DOH, was literally looking for "Retire" as the extension name.

Now my question is: How is it implemented? Is it essentially just a passive listener that raises alerts? Is there supposed to be a separate tab?

[thc...@gmail.com]

Hi.

It's a passive scanner.

Best regards.

[kingthorin+owaspzap]

Thanks THC, I'll give it a whirl today.

[kingthorin+owaspzap]

When I have it installed and go to the scan policy (ctrl+p) should I see it listed (like I do with wappalyzer)?

[thc...@gmail.com]

Hi.

Yes, it's called "Component with known vulnerabilities" (and it's under
the "Passive" entry like "Wappalyzer").

Best regards.

On 04/12/14 21:38, kingthorin+owaspzap wrote:
> When I have it installed and go to the scan policy (ctrl+p) should I see
> it listed (like I do with wappalyzer)?
>

[kingthorin+owaspzap]

Thanks THC, would anyone object to me submitting a modification which references Retire.js in all these various places in order to kind of make things more unified or blatantly obvious?

Something like:
1) Make the marketplace name "Vulnerable JS Libraries Detection (Retire.js)"
2) Make the 'scanner' name "Component with Known Vulnerabilities (via Retire.js)" [or perhaps it should actually be the same as the marketplace name?]

[Simon Bennetts]

I think its always best for the original authors to make any changes, as long as they are still maintaining the code.
I'd be happy with a marketplace name like "Vulnerable JS Library Detection using Retire.js".
I disagree with the 'scanner' name however, as this is also used for the alert summary. I think that the fact that we used Retire.js is completely irrelevant from the point of view of someone reading a report generated by ZAP ;)

Anyone else have any thoughts on these names?
I can let the Nikita know if we come up with any feedback (if she's not already following this thread) and see if she's got time to update it.

Cheers,

Simon

[kingthorin+owaspzap]

I guess I need to do more research on how Retire.js works, but I'm assessing a site right now that has a blatantly out of date version of yui (https://example.org/sjared/yui/2.8.0/<etc>) and it isn't being caught :(

[Simon Bennetts]

I'm no expert, but I understand it uses a set of extractors to find the versions and then if they match known vulnerable versions it then flags them.
The data is uses is all in https://github.com/bekk/retire.js/blob/master/repository/jsrepository.json#L137 and it looks like YUI 2.8.0 should be flagged :/
It has a command line scanner and a Chrome extension: https://github.com/bekk/retire.js
Could you try either of those?
If they dont report a problem them its a retire.js problem - could you raise a bug on their tracker: https://github.com/bekk/retire.js/issues
If they do report a problem its a bug in our add-on, in which case let me know :)

Is the URL publicly accessible?
If so could you tell me it off list?

Cheers,

Simon

[kingthorin+owaspzap]

Ok I think I've discovered two culprits.

1) Looking at https://github.com/bekk/retire.js/blob/master/repository/jsrepository.json#L156 it seems to be like YUI checks are dependent upon having browsed a license URL. [This seems very unlikely to happen in a passive scanner. Perhaps a additional active scanner is needed here to attempt to access specific paths/files and prime this passive check?]
2) In only looking for and extracting from the license file Retire.js would miss the blatant path/version info (I've no idea what a standard YUI deployment might look like, this is the first I've dealt with it).

It seems in my particular instance the license file is either not present or not accessible anyway, but food for thought.

Thanks for passing along the details Simon!

[Simon Bennetts]

Do you not have any files that match the regex: "yui-(§§version§§)(.min)?\\.js"
Or contain text that matches: "YUI (§§version§§)", "/yui/license.(?:html|txt)\nversion: (§§version§§)"

I'm _hoping_ that the code just needs to match one of the extractors...

Cheers,

Simon

[kingthorin+owaspzap]

I'll have to dig around and see.

I had interpreted that second part as being a URL match not a content match (/yui/license). I'll have a look in the files.