Get this awesome resource:
wget https://github.com/nice-registry/all-the-package-names/raw/master/names.json jq ‘.[0:10000]’ names.json | grep “,” | cut -d'"' -f 2 > npm-10000.txt
We will use jq to filter to only the top ten thousand items that have a package name with grep, strip any extra characters with cut, then redirect the output to npm-10000.txt.
Grab all the vendor names from the Target web application.
gobuster dir -w ./npm-10000.txt -u https://targetApp/js/vendor/ -k > packages.txt
We are searching for packages in the /js/vendor/ directory with gobuster.
-w to pass in the wordlist
-u to pass in the url
-k to ignore the self-signed certificate
Those discovered directories are saved in a text file.
kali@kali:~$ cat packages.txt https://targetApp/js/vendor/fineuploader https://targetApp/js/vendor/gauge https://targetApp/js/vendor/gridstack https://targetApp/js/vendor/lodash https://targetApp/js/vendor/UUID.js-4.0.3 https://targetApp/js/vendor/bootstrap-daterangepicker
while read l; do echo "=$l="; gobuster dir -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -q -u $l; done < packages.txt
We are looping through each URL and searching for content using thequickhits.txt wordlist. We are using a while loop and passing in each line individually in the packages.txt file. Each line echoes the URL parameter passes in the gobuster dir command while passing -q to prevent Gobuster from printing the headers. Finally it creates a new file with the names.
kali@kali:~$ cat packages.txt https://targetApp/js/vendor/gridstack https://targetApp/js/vendor/lodash https://targetApp/js/vendor/bootstrap-daterangepicker
while read l; do echo "=$l="; curl $l/README.md -k; done < packages.txt
This is loops through directories looking for a README.md file. Then we can use wget to download each library by their respective tagged version. Example:
https://github.com/Liosk/UUID.js/releases/tag/v4.0.3 https://github.com/lodash/lodash/releases/tag/3.9.3 https://github.com/gridstack/gridstack/js/releases/tag/v0.2.3
Then unzip them and search those new directories to find to HTML files with *.html, supplying -iname to the search command with case insensitivity.
$ find ./ -iname "*.html"
Sometimes these vendor html files may have vulnerabilities that could be leveraged to attack the target web application hosting them.