Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crawl the source map files #413

Closed
wants to merge 6 commits into from
Closed

Crawl the source map files #413

wants to merge 6 commits into from

Conversation

ShubhamRasal
Copy link
Contributor

@ShubhamRasal ShubhamRasal commented Apr 20, 2023
edited
Loading

  • Crawl the source map files
  • Use body parser to parse the sourceContents
Example 1 
./katana -u https://bitbucket.org -jc -ns -v

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.0.2-dev (dev)
[INF] Started standard crawling for => https://bitbucket.org

[html] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js
[html] [GET] https://www.facebook.com/djeihiulvfkgcccw.pkg.js
[js] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js.map
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/common/tracking
[map] [GET] https://wac-cdn.atlassian.com/air-datepicker.js
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/common/analytics
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/utils/general
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/app.js
[map] [GET] https://wac-cdn.atlassian.com/utils/localized-pricing
[map] [GET] https://wac-cdn.atlassian.com/utils/url
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/localized-pricing
[map] [GET] https://wac-cdn.atlassian.com/utils/storage
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/url
[map] [GET] https://wac-cdn.atlassian.com/utils/string
Example 2 
./katana -u https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js -jc -ns  -v

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.0.2-dev (dev)
[INF] Started standard crawling for => https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js
[GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js
[html] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js
[js] [GET] https://api-private.atlassian.com/available-sites
[js] [GET] https://api-private.atlassian.com/me
[js] [GET] https://api-private.stg.atlassian.com/available-sites
[js] [GET] https://api-private.stg.atlassian.com/me
[js] [GET] http://www.w3.org/TR/SVG11/feature
[js] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/bitbucket.js.map
[header] [GET] https://www.w3.org/TR/SVG11/feature
[js] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/underscore.js
[js] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/air-datepicker.js
[js] [GET] https://wac-cdn.atlassian.com/login/select-account?continue=
[html] [GET] http://www.w3.org/1999/xlink
[map] [GET] https://wac-cdn.atlassian.com/common/tracking/platforms
[html] [GET] https://wac-cdn.atlassian.com/master/4501/assets/build/js/ad-hoc/bitbucket/air-datepicker.js
[html] [GET] https://www.w3.org/expanders.js
[html] [GET] https://wac-cdn.atlassian.com/master/4501/assets/build/js/ad-hoc/bitbucket/underscore.js
[js] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/select2.js
[html] [GET] https://wac-cdn.atlassian.com/dam/jcr
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/utils/history
[script] [GET] https://atl-global.atlassian.com/js/atl-global.min.js
[html] [GET] https://wac-cdn.atlassian.com/master/4501/assets/build/js/ad-hoc/bitbucket/select2.js
[js] [GET] https://www.atlassian.com/hamlet/1.0/auth/xsrf/html?domain=atlassian.com
[script] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/head.js?cdnVersion=971
[html] [GET] https://confluence.atlassian.com/display/ALLDOC/Atlassian
[script] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/jquery.js?cdnVersion=971
[js] [GET] https://www.atlassian.com/gateway/api
[a] [GET] https://www.facebook.com/Atlassian
[a] [GET] https://wac-cdn.atlassian.com/legal/impressum
[a] [GET] https://wac-cdn.atlassian.com/legal/cloud-terms-of-service
[script] [GET] https://wac-cdn.atlassian.com/login/bower_components/
[script] [GET] https://wac-cdn.atlassian.com/assets/
[a] [GET] https://wac-cdn.atlassian.com/company/contact
[a] [GET] https://wac-cdn.atlassian.com/legal/privacy-policy
[a] [GET] https://wac-cdn.atlassian.com/company/events
[link] [GET] https://wac-cdn.atlassian.com
[a] [GET] https://wac-cdn.atlassian.com/resources
[a] [GET] https://support.atlassian.com/contact/
[a] [GET] https://wac-cdn.atlassian.com/developers
[a] [GET] https://confluence.atlassian.com/kb
[link] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/css/wpl-main.css?cdnVersion=971
[a] [GET] https://www.atlassian.com/nl/404
[map] [GET] https://wac-cdn.atlassian.com/common/tracking
[a] [GET] https://www.atlassian.com/purchase/
[map] [GET] https://wac-cdn.atlassian.com/common/analytics
[a] [GET] https://www.atlassian.com/es/404
[a] [GET] https://www.atlassian.com/it/404
[a] [GET] https://www.atlassian.com/fr/404
[a] [GET] https://www.atlassian.com/404
[a] [GET] https://www.atlassian.com/de/404
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/common/tracking/platforms
[a] [GET] https://www.atlassian.com/zh/404
[map] [GET] https://wac-cdn.atlassian.com/underscore.js
[map] [GET] https://wac-cdn.atlassian.com/app.js
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/common/tracking
[map] [GET] https://wac-cdn.atlassian.com/air-datepicker.js
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/common/analytics
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/utils/general
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/app.js
[map] [GET] https://wac-cdn.atlassian.com/utils/localized-pricing
[map] [GET] https://wac-cdn.atlassian.com/utils/url
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/localized-pricing
[map] [GET] https://wac-cdn.atlassian.com/utils/storage
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/url
[map] [GET] https://wac-cdn.atlassian.com/utils/string
[map] [GET] https://wac-cdn.atlassian.com/OS%5C/2/
[map] [GET] https://wac-cdn.atlassian.com/BeOS/
[map] [GET] https://wac-cdn.atlassian.com/UNIX/
[map] [GET] https://wac-cdn.atlassian.com/QNX/
[map] [GET] https://wac-cdn.atlassian.com/SunOS/
[map] [GET] https://wac-cdn.atlassian.com/utils/history
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/storage
[map] [GET] https://wac-cdn.atlassian.com/OpenBSD/
[map] [GET] https://wac-cdn.atlassian.com/Android/
[map] [GET] https://wac-cdn.atlassian.com/utils/tracking
[map] [GET] https://wac-cdn.atlassian.com/Win16/
[map] [GET] https://wac-cdn.atlassian.com/utils/general
[map] [GET] https://wac-cdn.atlassian.com/static/master/4501/assets/build/js/ad-hoc/bitbucket/utils/string
[map] [GET] https://wac-cdn.atlassian.com/utils/get-script
[map] [GET] https://wac-cdn.atlassian.com/utils/api
[map] [GET] https://wac-cdn.atlassian.com/utils/browser

@ShubhamRasal ShubhamRasal self-assigned this Apr 20, 2023
@ShubhamRasal ShubhamRasal marked this pull request as draft April 20, 2023 09:55
@ShubhamRasal ShubhamRasal marked this pull request as ready for review April 20, 2023 09:55
@ShubhamRasal ShubhamRasal linked an issue Apr 20, 2023 that may be closed by this pull request
Add crawling of javascript sourcemap files #128
Open
Mzack9999
Mzack9999 approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! - Question: By unmarshaling the json, we might detect more decoded endpoints, as many characters are escaped in the marshaled json and might not match the regexes?

tarunKoyalwar
tarunKoyalwar reviewed Apr 21, 2023
View reviewed changes
Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm !

suggesting minor changes

pkg/engine/parser/parser.go Outdated Show resolved Hide resolved
pkg/engine/parser/parser.go Outdated Show resolved Hide resolved
pkg/types/sourcemap.go Outdated Show resolved Hide resolved
@tarunKoyalwar
Copy link
Member

@Mzack9999 , a sample sourcemap file is available at below url

curl https://wac-cdn.atlassian.com/static/master/4466/assets/build/js/chunks/9b24561751aa1c.js.map | jq .

as you can tell running Endpoint regex and other regex on sourcemap content already generates lot of false positives this is due to

  • filePaths like ./utils are considered as relative endpoints
  • third party node_modules
  • mappings & variable names might be considered as endpoint by regex

by unmarshalling and removing node_modules we are actually trying to reduce false positives .

ideal solution would be to also add a new regex since it is quite rare to find a url like https://somethig.com/../abc but we will definitely see relative js/ts import statements like import ./utils

ehsandeep
ehsandeep reviewed Apr 22, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

./katana -u https://wac-cdn.atlassian.com/static/master/4466/assets/build/js/chunks/9b24561751aa1c.js.map -jc -ns

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.0.2-dev (dev)
[INF] Started standard crawling for => https://wac-cdn.atlassian.com/static/master/4466/assets/build/js/chunks/9b24561751aa1c.js.map
https://wac-cdn.atlassian.com/static/master/4466/assets/build/js/chunks/9b24561751aa1c.js.map

@ShubhamRasal
Copy link
Contributor Author

image

@ehsandeep ehsandeep requested a review from tarunKoyalwar April 25, 2023 12:08
@tarunKoyalwar tarunKoyalwar added Investigation Status: Blocked There is some issue that needs to be resolved first. Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. and removed Investigation labels Apr 27, 2023
@dogancanbakir dogancanbakir self-assigned this Nov 10, 2023
ehsandeep
ehsandeep requested changes Nov 20, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

./katana -u https://bitbucket.org -jc -ns -v -proxy http://127.0.0.1:8080

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.0.4 (latest)
[INF] Started standard crawling for => https://bitbucket.org
[GET] https://bitbucket.org
[html] [GET] http://www.w3.org/2000/svg
[script] [GET] https://atl-global.atlassian.com/js/atl-global.min.js
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x10390b1fc]

goroutine 31 [running]:
github.com/projectdiscovery/utils/url.(*OrderedParams).Clone(0x0)
	/Users/geekboy/go/pkg/mod/github.com/projectdiscovery/[email protected]/url/orderedparams.go:157 +0x6c
github.com/projectdiscovery/utils/url.(*URL).Clone(0x1400128fd50)
	/Users/geekboy/go/pkg/mod/github.com/projectdiscovery/[email protected]/url/url.go:90 +0x204
github.com/projectdiscovery/katana/pkg/engine/parser.scriptJSFileRegexParser(0x140012a2790)
	/Users/geekboy/Github/katana/pkg/engine/parser/parser.go:674 +0x29c
github.com/projectdiscovery/katana/pkg/engine/parser.ParseResponse(0x140012a2790)
	/Users/geekboy/Github/katana/pkg/engine/parser/parser.go:101 +0x244
github.com/projectdiscovery/katana/pkg/engine/common.(*Shared).Do.func1()
	/Users/geekboy/Github/katana/pkg/engine/common/base.go:246 +0x174
created by github.com/projectdiscovery/katana/pkg/engine/common.(*Shared).Do in goroutine 61
	/Users/geekboy/Github/katana/pkg/engine/common/base.go:214 +0x250

@dogancanbakir
Copy link
Member 

go run . -u https://bitbucket.org -jc -ns -v -proxy http://127.0.0.1:8080

   __        __
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							

		projectdiscovery.io

[INF] Current katana version v1.0.4 (latest)
[INF] Started standard crawling for => https://bitbucket.org
[GET] https://bitbucket.org
[script] [GET] https://atl-global.atlassian.com/js/atl-global.min.js
[script] [GET] https://bitbucket.org/bower_components/
...

@dogancanbakir
Copy link
Member

Closing this due to lost context. We'll review the issue again.

@ehsandeep ehsandeep deleted the spa-sourcemap branch March 17, 2024 11:07
@tarunKoyalwar tarunKoyalwar mentioned this pull request May 13, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mzack9999 Mzack9999 Mzack9999 approved these changes

@tarunKoyalwar tarunKoyalwar Awaiting requested review from tarunKoyalwar

@ehsandeep ehsandeep Awaiting requested review from ehsandeep

Assignees

@ShubhamRasal ShubhamRasal

@dogancanbakir dogancanbakir

Labels
Status: Blocked There is some issue that needs to be resolved first. Status: Revision Needed Submitter of PR needs to revise the PR related to the issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add crawling of javascript sourcemap files
5 participants
@ShubhamRasal @tarunKoyalwar @dogancanbakir @ehsandeep @Mzack9999