Vendor Search

Web App Attack

Get this awesome resource:


jq ‘.[0:10000]’ names.json | grep “,” | cut -d'"' -f 2 > npm-10000.txt

We will use jq to filter to only the top ten thousand items that have a package name with grep, strip any extra characters with cut, then redirect the output to npm-10000.txt.

Grab all the vendor names from the Target web application.

gobuster dir -w ./npm-10000.txt -u https://targetApp/js/vendor/ -k > packages.txt 

We are searching for packages in the /js/vendor/ directory with gobuster.
-w to pass in the wordlist
-u to pass in the url
-k to ignore the self-signed certificate

Those discovered directories are saved in a text file.

kali@kali:~$ cat packages.txt 

Then run

while read l; do echo "=$l="; gobuster dir -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -q -u $l; done < packages.txt

We are looping through each URL and searching for content using thequickhits.txt wordlist. We are using a while loop and passing in each line individually in the packages.txt file. Each line echoes the URL parameter passes in the gobuster dir command while passing -q to prevent Gobuster from printing the headers. Finally it creates a new file with the names.

kali@kali:~$ cat packages.txt 

Then run

while read l; do echo "=$l="; curl $l/ -k; done < packages.txt

This is loops through directories looking for a file. Then we can use wget to download each library by their respective tagged version. Example:

Then unzip them and search those new directories to find to  HTML files with *.html, supplying -iname to the search command with case insensitivity.

$ find ./ -iname "*.html"

Sometimes these vendor html files may have vulnerabilities that could be leveraged to attack the target web application hosting them.

Leave a Reply

Your email address will not be published. Required fields are marked *