Search...

Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities

2018-03-26T20:38:04

ID KITPLOIT:1750643879892396211
Type kitploit
Reporter KitPloit
Modified 2018-03-26T20:38:04

Description

What you require you must also retire
There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
Retire.js can be used in many ways:

Command line scanner
Scan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules. In the source code folder of the application folder run:

$ npm install -g retire
$ retire

Grunt plugin
A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

Gulp task
An example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like.

var gulp = require('gulp');
var spawn = require('child_process').spawn;
var gutil = require('gulp-util');

gulp.task('retire:watch', ['retire'], function (done) {
    // Watch all javascript files and package.json
    gulp.watch(['js/**/*.js', 'package.json'], ['retire']);
});

gulp.task('retire', function() {
    // Spawn Retire.js as a child process
    // You can optionally add option parameters to the second argument (array)
    var child = spawn('retire', [], {cwd: process.cwd()});

    child.stdout.setEncoding('utf8');
    child.stdout.on('data', function (data) {
        gutil.log(data);
    });

    child.stderr.setEncoding('utf8');
    child.stderr.on('data', function (data) {
        gutil.log(gutil.colors.red(data));
        gutil.beep();
    });
});

Chrome and firefox extensions
Scans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded.

Burp and OWASP ZAP plugin
@h3xstream has adapted Retire.js as a plugin for the penetration testing tools Burp and OWASP ZAP . An alternative OWASP ZAP plugin exists at https://github.com/nikmmy/retire/

Download Retire.Js

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:1750643879892396211", "bulletinFamily": "tools", "title": "Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities", "description": "[ ![](https://1.bp.blogspot.com/-fzUVZSd0rlg/WrSixoo7EwI/AAAAAAAAKqQ/a_mqeecP0mIDIFjSQGqODCIA56JV-gfYgCLcBGAs/s640/Retire.png) ](<https://1.bp.blogspot.com/-fzUVZSd0rlg/WrSixoo7EwI/AAAAAAAAKqQ/a_mqeecP0mIDIFjSQGqODCIA56JV-gfYgCLcBGAs/s1600/Retire.png>)\n\n \n** What you require you must also retire ** \nThere is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay [ up-to-date ](<https://www.kitploit.com/search/label/Up-to-date>) on security fixes. \"Using Components with Known Vulnerabilities\" is now a part of the [ OWASP Top 10 ](<https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities>) list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of [ Retire.js ](<https://www.kitploit.com/search/label/Retire.js>) is to help you detect the use of JS-library versions with known vulnerabilities. \nRetire.js can be used in many ways: \n\n\n 1. [ As command line scanner ](<https://github.com/RetireJS/retire.js/tree/master/node>)\n 2. [ As a grunt plugin ](<https://github.com/bekk/grunt-retire>)\n 3. [ As a gulp task ](<https://github.com/retirejs/retire.js/#user-content-gulp-task>)\n 4. [ As a Chrome extension ](<https://github.com/RetireJS/retire.js/tree/master/chrome>)\n 5. [ As a Firefox extension ](<https://github.com/RetireJS/retire.js/tree/master/firefox>)\n 6. [ As a Burp and OWASP Zap plugin ](<https://github.com/h3xstream/burp-retire-js>)\n \n** Command line scanner ** \nScan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules. In the source code folder of the application folder run: \n\n \n \n $ npm install -g retire\n $ retire\n\n \n** Grunt plugin ** \nA [ Grunt task for running Retire.js ](<https://github.com/bekk/grunt-retire>) as part of your application's build routine, or some other automated workflow. \n \n** Gulp task ** \nAn example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like. \n\n \n \n var gulp = require('gulp');\n var spawn = require('child_process').spawn;\n var gutil = require('gulp-util');\n \n gulp.task('retire:watch', ['retire'], function (done) {\n // Watch all javascript files and package.json\n gulp.watch(['js/**/*.js', 'package.json'], ['retire']);\n });\n \n gulp.task('retire', function() {\n // Spawn Retire.js as a child process\n // You can optionally add option parameters to the second argument (array)\n var child = spawn('retire', [], {cwd: process.cwd()});\n \n child.stdout.setEncoding('utf8');\n child.stdout.on('data', function (data) {\n gutil.log(data);\n });\n \n child.stderr.setEncoding('utf8');\n child.stderr.on('data', function (data) {\n gutil.log(gutil.colors.red(data));\n gutil.beep();\n });\n });\n\n \n** Chrome and firefox extensions ** \nScans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded. \n \n** Burp and [ OWASP ZAP ](<https://www.kitploit.com/search/label/OWASP%20ZAP>) plugin ** \n[ @h3xstream ](<https://github.com/h3xstream>) has adapted Retire.js as a [ plugin ](<https://github.com/h3xstream/burp-retire-js>) for the [ penetration testing ](<https://www.kitploit.com/search/label/Penetration%20Testing>) tools [ Burp ](<http://portswigger.net/burp/>) and [ OWASP ZAP ](<https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>) . An alternative OWASP ZAP plugin exists at [ https://github.com/nikmmy/retire/ ](<https://github.com/nikmmy/retire/>) \n \n \n\n\n** [ Download Retire.Js ](<https://github.com/retirejs/retire.js/>) **\n", "published": "2018-03-26T20:38:04", "modified": "2018-03-26T20:38:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2018/03/retirejs-scanner-detecting-use-of.html", "reporter": "KitPloit", "references": ["https://github.com/nikmmy/retire/", "https://github.com/bekk/grunt-retire", "https://github.com/retirejs/retire.js/#user-content-gulp-task", "https://github.com/h3xstream/burp-retire-js", "https://github.com/RetireJS/retire.js/tree/master/firefox", "https://github.com/RetireJS/retire.js/tree/master/chrome", "https://github.com/retirejs/retire.js/", "https://github.com/h3xstream", "https://github.com/RetireJS/retire.js/tree/master/node"], "cvelist": [], "type": "kitploit", "lastseen": "2020-12-08T23:26:10", "edition": 27, "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2020-12-08T23:26:10", "rev": 2}, "score": {"value": -0.2, "vector": "NONE", "modified": "2020-12-08T23:26:10", "rev": 2}, "vulnersScore": -0.2}, "toolHref": "https://github.com/retirejs/retire.js/", "scheme": null}