burp-piper-custom-scripts icon indicating copy to clipboard operation
burp-piper-custom-scripts copied to clipboard

Published 20 hours ago verified publisher icon righettod

Feature: Detection of MAP files for SPA main JS bundle

Open righettod opened this issue 4 years ago • 6 comments

Describe the feature wanted

Add detection of the map file in the script extract-spa-low-hanging-fruits.py:

//...
//# sourceMappingURL=main.dqfcf86f.chunk.js.map

righettod avatar Sep 07 '21 07:09 righettod

For this it would be awesome if you leveraged a tool under the hood to also convert the map file back to its original state, this way you would be able to easier perform manual reviews on the code better 👀

LewisArdern avatar Oct 27 '21 22:10 LewisArdern

Hi,

Thank a lot for the suggestion 👍

In fact, once you know that map files are exposed, the browser do the job for you and you can browse the "recovered" code. It is why I limited the task to "only detect" when map files are present. With the browser, you can set breakpoints so you can explore the code using the browser JS debugger panel as IDE 😃

I have documented that point in my cheat sheet:

image

righettod avatar Oct 28 '21 05:10 righettod

By the way, I remarked that this features (detection of map files) is already implemented but I have forgotten to reference the issue in the commit 😃 So I close the issue. Thank again a lot for your suggestion. Feel free to ping me if you think that it should be better to have the recovered code directly into Burp (I currently do not know how to achieve it but I will find a way 😄 )

righettod avatar Oct 28 '21 05:10 righettod

This isn't always possible though @righettod for a lot of reasons, sometimes you have to manually unpack it through resources like: https://github.com/denandz/sourcemapper https://github.com/pavloko/source-map-unpack https://github.com/mozilla/source-map

I haven't looked at it in a while but some webpack bundles failed to unpack via the browser the last time I checked -- this could be different now, I only mentioned this because I am giving a talk and will be referencing your piper scripts for detection :)

LewisArdern avatar Oct 28 '21 12:10 LewisArdern

My thought process has always been:

  • Identify the sourcemap
  • Unpack
  • Scan locally with semgrep or other

But might not be appropriate for most peoples workflows, but it would be a lot cleaner to find issues with the unbundled javascript and easier to read the code

This was done by eslinter https://github.com/parsiya/eslinter similar concept could be used for this workflow aswell <but would probably be a fairly out there approach

LewisArdern avatar Oct 28 '21 13:10 LewisArdern

OK I reopen the issue 😃

righettod avatar Oct 28 '21 13:10 righettod