forked from PortSwigger/js-miner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
BappDescription.html
66 lines (60 loc) · 3.22 KB
/
BappDescription.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<p>This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.</p>
<p>Background</p>
<p>While assessing a web application, it is expected to enumerate information residing inside static files such as JavaScript or JSON resources.</p>
<p>This tool tries to help with this "initial" recon phase, which should be followed by manual review/analysis of the reported issues.</p>
<p><strong>Note:</strong> Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).</p>
<p>Features</p>
<ul>
<li>Scans for secrets / credentials
<ul>
<li>It uses Shannon entropy to improve the confidence level.</li>
</ul>
</li>
<li>Scans for subdomains (passive)</li>
<li>Scans for cloud URLs (passive)
<ul>
<li>Support for (AWS, Azure, Google, CloudFront, Digital Ocean, Oracle, Alibaba, Firebase, Rackspace, Dream Host)</li>
</ul>
</li>
<li>Tries to identify "dependency confusion" issues (passive but connects to NPM JS registry to verify the issue)
<ul>
<li>Reports a critical issue when a dependency or an organization is missing from the NPM registry.</li>
<li>Reports informational issues for identified dependencies.</li>
</ul>
</li>
<li>JS Source Mapper (active and passive)
<ul>
<li>Tries to construct source code from JavaScript Source Map Files (if found).</li>
<li>Actively tries to guess the common location of the ".map" files;</li>
<li>It can also (passively) parse inline base64 JS map files.</li>
</ul>
</li>
<li>Static files dumper (passive but requires manual invocation)
<ul>
<li>A one-click option to dump static files from one or multiple websites.</li>
<li>Think 'ctrl+A' in your Burp's 'sitemap', then dump all static files.</li>
<li>You can use this feature to run your custom tools to find specific patterns for example.</li>
</ul>
</li>
<li>API Endpoints Finder (passive)
<ul>
<li>Tries to find GET/POST/PUT/DELETE/PATCH API endpoints.</li>
</ul>
</li>
</ul>
<p>How to use this tool</p>
<p><strong>In a nutshell:</strong> Passive scans are invoked automatically, while active scans require manual invocation ( by right-clicking your targets) from the site map or other Burp windows.</p>
<p>More information</p>
<p>The tool contains two main scans:</p>
<ul>
<li><strong>Passive</strong> scans, which are enabled by default (to search for inline JS map files, secrets, subdomains and cloud URLs).</li>
<li><strong>Actively</strong> try to guess JavaScript source map files. (During the process, HTTP requests will be sent)</li>
</ul>
<p>For the best reults</p>
<ul>
<li>Ensure to navigate your target first in order for all the static files to be loaded;</li>
<li>Passive scans will trigger automatically. Ensure Burp's Sitemap is displaying your target's static files.</li>
<li>Then right-click on the target domain (example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options.</li>
<li>Sometimes you may need to allow cookies to be sent by the extension. Check the wiki for how to do that.</li>
</ul>
<p><strong>Note:</strong>JS Source mapper scan is not included in Burp's "Active scan".</p>