Vendor Search

Web App Attack

Get this awesome resource:

wget https://github.com/nice-registry/all-the-package-names/raw/master/names.json

jq ‘.[0:10000]’ names.json | grep “,” | cut -d'"' -f 2 > npm-10000.txt

We will use jq to filter to only the top ten thousand items that have a package name with grep, strip any extra characters with cut, then redirect the output to npm-10000.txt.

Grab all the vendor names from the Target web application.

gobuster dir -w ./npm-10000.txt -u https://targetApp/js/vendor/ -k > packages.txt 

We are searching for packages in the /js/vendor/ directory with gobuster.
-w to pass in the wordlist
-u to pass in the url
-k to ignore the self-signed certificate

Those discovered directories are saved in a text file.

kali@kali:~$ cat packages.txt 
https://targetApp/js/vendor/fineuploader
https://targetApp/js/vendor/gauge
https://targetApp/js/vendor/gridstack
https://targetApp/js/vendor/lodash
https://targetApp/js/vendor/UUID.js-4.0.3
https://targetApp/js/vendor/bootstrap-daterangepicker

Then run

while read l; do echo "=$l="; gobuster dir -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -q -u $l; done < packages.txt

We are looping through each URL and searching for content using thequickhits.txt wordlist. We are using a while loop and passing in each line individually in the packages.txt file. Each line echoes the URL parameter passes in the gobuster dir command while passing -q to prevent Gobuster from printing the headers. Finally it creates a new file with the names.

kali@kali:~$ cat packages.txt 
https://targetApp/js/vendor/gridstack
https://targetApp/js/vendor/lodash
https://targetApp/js/vendor/bootstrap-daterangepicker

Then run

while read l; do echo "=$l="; curl $l/README.md -k; done < packages.txt

This is loops through directories looking for a README.md file. Then we can use wget to download each library by their respective tagged version. Example:

https://github.com/Liosk/UUID.js/releases/tag/v4.0.3
https://github.com/lodash/lodash/releases/tag/3.9.3
https://github.com/gridstack/gridstack/js/releases/tag/v0.2.3

Then unzip them and search those new directories to find to  HTML files with *.html, supplying -iname to the search command with case insensitivity.

$ find ./ -iname "*.html"

Sometimes these vendor html files may have vulnerabilities that could be leveraged to attack the target web application hosting them.

Leave a Reply

Your email address will not be published. Required fields are marked *