This weekend I made the first updates to CodeWatch since releasing it as a free service and am just now getting around to posting a notification. The updates included:
- Minor bugfixes throughout the system.
- Upgrades to the Brakeman scanner for Ruby on Rails vulnerability testing. We were using an outdated version but are now (at the time of this posting) using the latest and greatest .
- I added a plugin that leverages Sigcheck to identify viruses in executable code uploaded to the application. More information can be found here.
- I added a plugin that uses Retire.js to scan for known vulnerable JavaScript files included in submitted source.
As a general note, I recommend using Retire.js and DependencyCheck (which was already integrated into CodeWatch prior to this weekend) on web application penetration tests that include source containing JavaScript files or Java jar files. These tools help provide some coverage for OWASP 2013 A9: Using Known Vulnerable Components.
A link discussing Retire.js can be found here. To leverage it in a web application penetration test, you will need to:
- Install Node.js from here.
- Install the retire.js plugin with: `npm install -g retire`
- Use a tool like httrack to download the JavaScript and other files from the site. Make sure the configuration settings for the httrack download includes +*.js in the “Scan Rules” tab.
- Scan for known vulnerable JavaScript components:
`retire –jspath /path/to/httrack/website/download/folder`
To use DependencyCheck, use a similar process (minus Node.js) by including +*.jar files in the “Scan Rules” tab of httrack. Then run DependencyCheck against any downloaded jar files:
`dependency-check.bat –a “AppName” –f HTML –s /path/to/directory/containing/the/jar`
Another thing I like to do is use the Firefox Wappalyzer plugin to identify all the third party components used on a site. Then I load up Burp, spider the site, then right click on the top level site and select “Engagement tools->Search” in the “Targets->Site Map” tab. For each third party component identified by Wappalyzer, I search through the spidered results for version information and then attempt to correlate to any known vulnerabilities.
Hopefully the updates and the information are useful to someone out there!
Leave a Reply