Hi!
I added the com.h3xstream.retirejs:retirejs-maven-plugin to a maven project that creates a web client application and a node server application.

The scanning was really fast which made me suspicious. After looking at the source code for RetireJsScan.java at line 114 the scan is discarded if the packaging is set to "pom". It's logged at debug level which means it'll not show for normal usage.

To me it seems more appropriate to log at info but more importantly, why should scanning not be done when packaging is set to pom?

Retire.js introduces new properties see : RetireJS/retire.js#79
Summary could be useful in the report description. The rest of identifiers seems to be duplicate from the links (bug id and CVE).

Gotcha : https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json#L547 (type String or array)

Is this possible to raise an issue when third party outdated JS files are used in a website?
At the moment issues are only listed in those third party sites which is not ideal.

Source of update : https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json

Hi,
Correct me if I'm wrong, but it appears you are loading new vulnerability DB directly, and "ignoring" the upstream proxy setup in Burp. Since my Burp instance does not have direct internet connection, I set up upstream proxy in Burp for raw.githubusercontent.com via proxy, but I'm still getting UnknownHostException.
Would it be possible to route traffic through the upstream proxy instead?
Thanks

Issue from ZAP project : zaproxy/zaproxy#1705

A couple of version ago, <h3> are no longer displayed properly..

If possible mark the string that match the regex from RetireJs repository.

This will be helpful when a library is found in an bundle of multiple libraries.

On Burp Pro 2.1.04

Noticed that the issue activty panel was displaying no results as I was proxying applications through Burp and seeing high cpu activity. The plugin was displaying no errors in the UI and when I loaded the plugin no errors are displayed. Running Burp as a JAR from the command line also displayed no errors. Once I unloaded the plugin, restarted Burp and navigated through any application this issue was not occuring again.

Appreciate any help on this,
Cheers,

The method ScannerFacade#findScriptUrl does not correctly extract only the src attribute value.

It seems this method is intended to extract the value between the first quote in the src attribute and the last quote in the src attribute.
However, the method actually extracts the value between the first quote in the src attribute and the last quote in the script tag.

For example, if the script tag is as below, ScannerFacade#findScriptURL returns /jquery-1.4.3,.min.js" type="text/javascript.

<script src="/jquery-1.4.3,.min.js" type="text/javascript"></script>

The file matcher works on the substring after the last slash of the extracted value, so in this case, it processes javascript.
Therefore, the library with vulnerabilities jquery-1.4.3.min.js is not detected.

Retire.js correctly detects this JS (https://wallet.pt/assets/common/js/jquery-ui.js) as being outdated.

However, the markers on the response seem to suffer from a greedy regex.
The marker ends with y.prototype,{destroy:function(){b.ui.dialog, so probably its detecting the last ui.dialog from the file.

I can try to fix this and submit a PR, if this was not the intended behaviour.

Bapp store version, 2.3.1

The ScannerFacade#getFilename method uses a hard-coded '/' as path separator, causing the method not to work properly on Windows, as windows uses backslashes as path separator.

private static String getFilename(String path) {
    int lastSlash = path.lastIndexOf('/');
    if(lastSlash < 0) lastSlash = 0;
    return path.substring(lastSlash+1);
}

In this code, the lastSlash variable will always be 0, as a Windows path (or filename) cannot contain forward slashes.

It probably should use something like File.pathSeparator instead of the hard-coded '/'.

I installed the plugin via BApp Store, get expected output after activating the plugin:

== Retire.js plugin ==
Passive scan rules to detect vulnerable Javascript libraries
 - Github : https://github.com/h3xstream/burp-retire-js

== License ==
Retire.js repository is release under Apache License v2.
Retire.js Burp plugin is release under LGPL.

00:00  INFO: Caching Retire.js latest repository
00:00  INFO: Loading the latest Retire.js repository

However, when requesting the test cases e.g.:
https://raw.githubusercontent.com/h3xstream/burp-retire-js/master/test-samples/jquery-1.6.2.js

There is no new issue in the target view. No error in output, Dashboard Event Log, and error log.

Expected:
New issue in target view or error triggered.

maven build failed because of org.zaproxy:zaproxy:jar:2.4.3 dependency. Success when I changed artifactId to zap and version to 2.5.0

Hi,

Can you please update your plugin to the latest version of Retire.js ? : D

See https://github.com/RetireJS/retire.js/commits/master & https://github.com/RetireJS/retire.js/tags

Regards

Edit: I use it every day and I love it, thank you for your work ! <3

Example: https://www.primericaonline.com/NAPOLWelcome/public/style.css

include -> includes
those not apply -> does not apply

(+regenerate screenshots)

Double check the other text descriptions.

The plugin currently generates alert titles that include the filename and the name of the library. That doesn't match what the native detections of ZAP/Burp do (as far as I can tell).

In ZAP at least (and in Burp as well I think?) issues usually have a generic name without dynamic content so multiple issues of the same type will be grouped together in the GUI, and you can expand it if you want to see all the separate details. Since RetireJS puts the filename and library name in the issue name, issues will not be grouped together and for some sites it can result in a large amount of RetireJS issues in the UI compared to other types of issues.

I can submit a patch to use a generic issue name (something like "Outdated and vulnerable JavaScript libraries found" seems good), but wanted to ask first if you agree with this change.

I am starting here - but this may need to be raised against the RetireJs repo; the original report is against dependency-check #1969.

When using the core library to scan jquery-ui-1.6rc6-customized.js a StackOverflowError occurs in com.h3xstream.retirejs.repo.VulnerabilitiesRepository#findByFileContent(String). The error specifically occurs when scanning for jquery-ui-dialog using the regex:

/\*!?[\n *]+jQuery UI ([0-9][0-9.a-z_\\\\-]+)(.*\n)*.*\.ui\.dialog

Originally retrieved from: https://github.com/RetireJS/retire.js/blob/cde69c04e63b65c1cba235efad01e904f28f4bd5/repository/jsrepository.json#L260

As with most regex issues - the stack trace is super helpful:

java.lang.StackOverflowError: null
	at java.util.regex.Pattern$GroupHead.match(Pattern.java:4656)
	at java.util.regex.Pattern$Loop.match(Pattern.java:4785)
	at java.util.regex.Pattern$GroupTail.match(Pattern.java:4717)
	at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3798)
	at java.util.regex.Pattern$Curly.match0(Pattern.java:4272)
	at java.util.regex.Pattern$Curly.match(Pattern.java:4234)
	at java.util.regex.Pattern$GroupHead.match(Pattern.java:4658)
	at java.util.regex.Pattern$Loop.match(Pattern.java:4785)
	at java.util.regex.Pattern$GroupTail.match(Pattern.java:4717)
        ...

Could you make the option for the rules that the plugin will fetch from github, to be able to assigned from an alternative location? I typically work in closed networks without internet access and would like the ability to fetch from my own URL or local file store, without having to recompile the plugin and lose the updates functionality through the BApp store.

First of all thanks for the plugin.

I'm running this Burp extension against a lot of sites. While most Burp extensions try to match a certainty and severity depending on what they found, this plugin will often say Certainty "Certain" and Severity "High":

As a consequence the Target tab of Burp lights up like a christmas tree. However, more than not the vulnerable website is either not using the feature that is vulnerable at all or it is simply not exploitable (e.g. no source for a DOM-based XSS where an attacker could inject). I find that to be true in 90% of the cases. So I would suggest to lower at least the Certainty ranking. Of course the library is old, but that doesn't mean it's vulnerable and when it's not vulnerable this extension is creating false positives. So I would suggest to lower the Certainty to "Tentative". Would that be possible?

Hi,

thanks for the burp plugin! I use it frequently and it seemed to be reliable so far.

However in an ongoing test it seems to get confused by the path:

Issue:   Vulnerable version of the library 'jquery' found
[..]
Path:   [..]/47a9c871/jquery.js

Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 47a9c871 has known security issues. For more information, visit those websites:
https://nvd.nist.gov/vuln/detail/CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
https://bugs.jquery.com/ticket/9521

Affected versions:

The vulnerability is affecting all versions prior 1.6.3 (between * and 1.6.3)

Then, same path, exactly same message, but is says:

Affected versions 
The vulnerability is affecting all versions prior 1.9.0b1 (between * and 1.9.0b1)

This is in fact a locally installed version on the server, response:

/*!
 * jQuery JavaScript Library v3.2.1
 * https://jquery.com/
 *
 * Includes Sizzle.js
 * https://sizzlejs.com/
 *
 * Copyright JS Foundation and other contributors
 * Released under the MIT license
 * https://jquery.org/license
 *
 * Date: 2017-03-20T18:59Z
 */

The version seems to be 3.2.1. Any idea what's going on?

Thx, Dirk

Could the Burp Plugin display which version of the library it is using? This would help for debugging with false positive rules that have been fixed upstream.

Is there any way of integrating this into ZAP-cli ?

Hi Guys,
I am using your burp extension to perform web scans in an application and it works great with various versions of JQuery. However scanning JQuery-UI versions before 1.2.0 does not flag the vulnerabilities described in https://nvd.nist.gov/vuln/detail/CVE-2016-7103.

Looking through the repository in https://github.com/h3xstream/burp-retire-js/blob/master/retirejs core/src/main/resources/retirejs_repository.json I noticed that the "jquery-ui" does not contain a jquery-ui entry to match the issues.

Would adding the entry for the issues stated above to the repository allow the extension to identify the issue and report it in Burp scans?

Thanks,
Rodolfo

On

libraries is misspelled in the error message it throws.

Process works as expected while not connected to corporate network, but fails to load repository when proxy is to be used.

Console output:

[INFO] --- retirejs-maven-plugin:2.1.0:scan (scanProject) @ Demo ---
[ERROR] Exception while loading the repository (Most likely unable to access the internet) java.net.UnknownHostException: raw.githubusercontent.com

pom.xml:

<plugin>
    <groupId>com.h3xstream.retirejs</groupId>
    <artifactId>retirejs-maven-plugin</artifactId>
    <version>2.1.0</version>
    <executions>
        <execution>
            <id>scanProjectJS</id>
            <phase>install</phase>
            <goals>
                <goal>scan</goal>
            </goals>
        </execution>
    </executions>
</plugin>

settings.xml (some values masked for security):

<proxies>
 <proxy>
   <id>INTERNALDOMAINproxy-http</id>
   <active>true</active>
   <protocol>http</protocol>
   <host>proxy.INTERNALDOMAIN.com</host>
   <port>80</port>
   <username>INTERNALDOMAIN\userid</username>
   <password>************</password>
   <nonProxyHosts>localhost,127.0.0.1,*.INTERNALDOMAIN.com</nonProxyHosts>
 </proxy>
</proxies>

Hello, I'm wanting to use the retirejs-core library in an open source application (Apache 2.0 license) and there is legitimate fear that if I do, many orgs will refuse to use the parent application due to the use of a LGPL licensed component. Use of anything GPL/LGPL is typically banned in many organizations.

As of now, I have two choices. I can 1) reimplement the parts of the core that I need in a new library that is licensed under an Apache 2.0 compatible license, or 2) I can ask you to reconsider the use of LGPL in favor for a more friendly license.

So first step is to see if you'll reconsider licensing retirejs-core under the Apache 2.0 (or MIT) license. Please let me know either way.

The current implementation does not use the DOM representation of websites but rather the whole HTTP response.
As a result, any embedded JavaScript file embedded within a comment will yield a false positive by the retireJS burp plugin
Example:

<!-- --> <script src=jquery-vuln.js/> -->

I can imagine two possible ways to fix it:

1. (My preferred solution): Use a library for proper DOM parsing rather than parsing the HTTP response line-by-line and match strings (e.g. jsoup).

2. Check manually whether the detected <script> tag is embedded within a comment section.
   Pseudocode:
   commentEnd = findFromBackwards(begin=0, end=scriptoffset, "-->");
commentBegin = findFromBackwards(begin=0, end=scriptoffset, "!--");
if commentBegin > commentEnd: //Abort, we are inside a comment

Due to my limited Java skills and time constraints I have not prepared a pull request yet ;)

If this behaviour is intended, the plugin should at least make explicit that the vulnerability is theoretical only.

New fields that will be added:

• identifiers
• severity

RetireJS/retire.js#73

Can the latest version of the maven plugin and core be published to Central?

There is an issue with running mvn -DrepoURL=localfile com.h3xstream.retirejs:retirejs-mave-plugin:scan offline.

The currently released version v3.0.1 of retirejs-core contains the vulnerable Guava version 16.0.1 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10237) as a transitive dependency via com.github.spullara.mustache.java.compiler v0.8.18.

The current snapshot of retirejs-core already contains a version of com.github.spullara.mustache.java.compiler (v0.9.5) that doesn't contain guava anymore.
(See 06cacf0#diff-600376dffeb79835ede4a0b285078036)

Would it be possible to get a new release soon?

Instead of having an issue for each vulnerable instance of jQuery, include them all under a single finding, despite where they are referenced within an application. This way its easy to copy and paste, and you don't get spammed. Right now I have about 25 instances of the same jQuery include.

The json library is seen as NON-FREE. I strongly recommend to replace it by a free implementation like
com.vaadin.external.google:android-json.

See https://wiki.debian.org/qa.debian.org/jsonevil

Hi,

this maybe is related to #49....

Issue:   Vulnerable version of the library 'jquery' found
[..]
Path:    <some internal path which loads an externally hosted jquery>

Note: This issue was generated by the Burp extension: Retire.js.

Issue detail

The library jquery version 47a9c871 has known security issues. For more information, visit those websites:
https://nvd.nist.gov/vuln/detail/CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
https://bugs.jquery.com/ticket/9521

Affected versions

The vulnerability is affecting all versions prior 1.6.3 (between * and 1.6.3)

In the HTTP response (Content-Type: text/html; charset=UTF-8) the following is highlighted: <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

Cheers, Dirk

Since the commit at RetireJS/retire.js@60ffbeb the RetireJSRepository here cannot understand filecontent on the new entry correctly, yielding.

java.util.regex.PatternSyntaxException: Unclosed character class near index 79
u.version="([0-9][0-9.a-z_\\\\-]+)";u.settings=[];u.models=\{\};u.models.oSearch
                                                                               ^
        at java.base/java.util.regex.Pattern.error(Pattern.java:2028)
        at java.base/java.util.regex.Pattern.clazz(Pattern.java:2690)
        at java.base/java.util.regex.Pattern.sequence(Pattern.java:2139)
        at java.base/java.util.regex.Pattern.expr(Pattern.java:2069)
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1783)
        at java.base/java.util.regex.Pattern.<init>(Pattern.java:1430)
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1069)
        at com.h3xstream.retirejs.repo.VulnerabilitiesRepository.findByFileContent(VulnerabilitiesRepository.java:117)
        at com.h3xstream.retirejs.repo.ScannerFacade.scanScript(ScannerFacade.java:125)

There is a downstream issue at jeremylong/DependencyCheck#4695 caused by this on latest RetireJS repo.

It seems to be due to the [] in the filecontent value which would need to be \-escaped in regex. I cannot see consistent regex escaping that is attempted by the code at the below, so perhaps it is not expecting arbitrary content in the expressions?

Is "filecontent" : [ "http://www.datatables.net\n +DataTables (§§version§§)", "u.version=\"(§§version§§)\";u.settings=[];u.models={};u.models.oSearch" ], valid from the library's perspective?

I have found that the retirejs-maven-plugin can be run in a standalone fashion after modifying the plugin declaration specified on https://blog.giantgeek.com/?p=1693 I believe it would be helpful to many people if they knew about it.

First off, thank you for making the Retirejs maven plugin. I've been using it is all my recent projects.

I've been using 2.2.0 with much success. I recently upgraded to 3.0.0 and suddenly it doesn't know the default retireJsRepoUrl and I have to specify it. When executing the plugin, I get a message back saying that it's empty or null. It seems to ignore the default value.

Although 3.0.0 appears to be the latest artifact in Maven central, the source in this repo version is at 2.3.0-SNAPSHOT. So I'm a bit confused on what is the latest release of the plugin and what version is recommended to be used.

<dependency>
    <groupId>com.h3xstream.retirejs</groupId>
    <artifactId>retirejs-maven-plugin</artifactId>
    <version>3.0.0</version>
</dependency>

For the time being, I've moved back to using 2.2.0 from Maven Central.

Once a new repository is fetch, it would be better to cache in case the user doesn't have internet access the next time he restart the application.

It would also be interesting to refresh the repository after a certain delay. Many Burp users keep their application open for a week or more.

Idea suggested by @eoftedal - #2 (comment)

For the ZAP plugin, can the template for the alert title be changed to use a template file, so that the design matches the description and other_info templates?

It's currently the only of the 3 templates with can't be customized without changing the source code.

Does the plugin for burp updates itself to find new vulnerabilities?

btw ~ nice plugin, thanks!

Burp seems to merge issues with same title. Current issue structure:

The file 'jquery.min.js' includes a vulnerable version of the library 'jquery'
 - /static/js/jquery.min.js
 - /static/js/jquery.min.js
The file 'index.html' includes a vulnerable version of the library 'jquery'
 - /static/html/index.html
 - /static/html/index.html
The file 'login.html' includes a vulnerable version of the library 'jquery'
 - /static/html/login.html
 - /static/html/login.html
The file 'items.html' includes a vulnerable version of the library 'jquery'
 - /static/html/items.html
 - /static/html/items.html

Which is multiple groups of the same issue. It would be more tidy to simply say

Vulnerable version of the library 'jquery' detected
 - /static/js/jquery.min.js
 - /static/js/jquery.min.js
 - /static/html/index.html
 - /static/html/index.html
 - /static/html/login.html
 - /static/html/login.html
 - /static/html/items.html
 - /static/html/items.html

Because the file name would be available anyway.

Burp version 2023.1.3 upgrade showing an error on adding the extension - see below

java.lang.NullPointerException: Cannot invoke "burp.api.montoya.http.message.responses.HttpResponse.headers()" because "<parameter1>" is null at burp.oxt.c(Unknown Source) at burp.u6r.analyzeResponse(Unknown Source) at burp.g0w.analyzeResponse(Unknown Source) at burp.j47.analyzeResponse(Unknown Source) at burp.BurpUpstreamDownloader.downloadUrlToFile(BurpUpstreamDownloader.java:36) at com.h3xstream.retirejs.repo.VulnerabilitiesRepositoryLoader.load(VulnerabilitiesRepositoryLoader.java:61) at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:67) at burp.u3j.M(Unknown Source) at burp.gp3.u(Unknown Source) at burp.gp8.lambda$initialiseOnNewThread$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833)

I'm very confused which is the newest version, and which one should be used... In your repository, you have link to https://raw.githubusercontent.com/h3xstream/burp-retire-js/gh-pages/releases/burp/burp-retire-js-3.0.1.jar - 3.0.1
In your pom.xml file https://github.com/h3xstream/burp-retire-js/blob/master/retirejs-burp-plugin/pom.xml you mention version 3.0.2
When I check the BappStore, there is version 2.3.1: https://portswigger.net/bappstore/36238b534a78494db9bf2d03f112265c
And then when I download the actual .bapp file, open it in 7-zip -> Retire.js_v2.3.1.bapp\retirejs-burp-plugin\target\burp-retire-js-3.jar there is version 3.
Would it be possible to somehow standardize and sync all the possible values, so that we know which is the newest version?
Thanks

Maven Central requires all published artifacts to be signed using PGP. If a publisher provides their key ID to PGP keys map then end users can use the Verify PGP signatures plugin to validate that the artifact has not been altered or replaced as part of a supply-chain attack.

When I right click and choose the Passive Scan on a vulnerable JS file, retire.js does not pickup the vulnerable JS. When I send the same JS for Active Scan it works fine.

My setting in scanner looks like this:

There is no debug message regarding the JS file when I select it for passive scanning in Extender>Retir.js>Output. Therefore, it seems it has not been triggered.

Hi Philippe!!

At the top of this project, it says:

Burp/ZAP extension that integrate Retire.js repository to find vulnerable Javascript libraries.
burp-plugin zap-plugin javascript vulnerability scanner

Seems like the Maven plugin should be included in that list.