One of the lesser checked but more serious OWASP Top 10 vulnerabilities is the use of libraries or modules with known vulnerabilities. This can often mean versions of web frameworks that are out of date, but it also includes JavaScript libraries that perform specific functions. In this circumstance, we are checking jQuery; I have checked other libraries with this script but for the purposes of an example, but I will stick to jQuery.
We will create a script that identifies whether a site uses jQuery, retrieve it's version number, and then compare that against the latest version number to determine whether it is up to date.
The following is our script:
import requests
import re
from bs4 import BeautifulSoup
import sys
scripts = []
if len(sys.argv) != 2:
print "usage: %s url" % (sys.argv[0])
sys.exit(0)
tarurl = sys.argv[1]
url = requests.get(tarurl)
soup = BeautifulSoup(url.text)
for line in soup.find_all('script'):
newline = line.get('src')
scripts.append(newline)
for script in scripts:
if "jquery.min" in str(script).lower():
url = requests.get(script)
versions = re.findall(r'd[0-9a-zA-Z._:-]+',url.text)
if versions[0] == "2.1.1" or versions[0] == "1.12.1":
print "Up to date"
else:
print "Out of date"
print "Version detected: "+versions[0]The following is an example of the output produced when using this script:
http://candycrate.com Out of Date Version detected: 1.4.2
As ever, we import our libraries and create an empty library to house our future identified scripts:
scripts = []
For this script, we have created a simple usage guide that detects whether a URL has been provided. It reads the number of sys.argv, and if it is not equal to 2, including the script itself, then it prints out a guide:
if len(sys.argv) != 2: print "usage: %s url" % (sys.argv[0]) sys.exit(0)
We take our target URL from the sys.argv list and open it:
tarurl = sys.argv[1] url = requests.get(tarurl)
As with before, we use beautiful soup to take the page apart; however, this time we are identifying scripts and pulling their src values in order to obtain the URLs of the js libraries being that are used. This collects together all the potential libraries that could be jQuery. Bear in mind that if you extend the usage to include different types of library, this list of URLs can be very useful:
for line in soup.find_all('script'):
newline = line.get('src')
scripts.append(newline)For each identified script, we then check to see if there is any mention of jquery.min, which would indicate the core jQuery file:
for script in scripts: if "jquery.min" in str(script).lower():
We then use regex to identify the version number. In jQuery files, this will be the first thing mentioned that fits the given regex. The regex looks for 0-9 or a-z followed by a period that is repeated infinite amount of times. This is the format that the majority of version numbers take and jQuery is no different:
versions = re.findall(r'd[0-9a-zA-Z._:-]+',url.text)
The re.findall method finds all strings that match this regex; however, as mentioned, we only want the first one. We identify it with comments[0]. We check to see whether this is equal to the hardcoded values of the current jQuery version, at time of writing. These will need to be updated manually. If the value is equal to either of the current versions, the script will state that it is up to date, alternatively if it is not equal it will print the detected version along with an out of date message:
if versions[0] == "2.1.1" or versions[0] == "1.12.1":
print "Up to date"
else:
print "Out of date"
print "Version detected: "+versions[0]This recipe is obviously extendable and can be applied to any JavaScript library by simply adding to the detection strings and versions.
If the string was to be extended to include other libraries, such as insecure Django or flask libraries, the script would have to be altered to handle the alternate way that they are stated, as they are obviously not declared as JavaScript libraries.