/webunpack

Find vulnerable modules inside packed files (bundles)

Primary LanguageJavaScript

webunpack

A recon tool for security purposes
Find the vulnerable modules inside webpacked files (bundles)


Prerequisites

Install globally webpack and webpack-cli:

npm install --global webpack
npm install --global webpack-cli

CLI example

Download the latest release of webunpack or git clone this repository.
Install dependencies:

npm install

To display the help:

node webunpack.js

To fetch the list of vulnerable npm modules:

node webunpack.js getvulns > vulnerablemodules.txt

To create a signatures database from vulnerable npm modules:
(warning: creation of database could take several days it is recommended to use precomputed database in dbs folder)

node webunpack.js createdb vulnerablemodules.txt ./dbs/signaturesdb.json

To update a signatures database from vulnerable npm modules:

node webunpack.js updatedb vulnerablemodules.txt ./dbs/signaturesdb.json

To filter signatures/remove duplicate signatures shared between modules:

cp ./dbs/signaturesdb.json ./dbs/signaturesdbfiltered.json
node webunpack.js filterdb ./dbs/signaturesdbfiltered.json

To retrieve vulnerable npm modules from a packed file:

node webunpack.js unpack ./dbs/signaturesdbfiltered.json ./tests/testhandlebarsvuln/dist/main.js

API example

Update your package.json to use webunpack:

{
  "name": "test",
  "version": "0.0.1",
  "license": "MIT",
  "dependencies": {
    "webunpack.js": "^0.0.2"
  }
}

Unpack a file with unpackFile method:

var webunpack = require("webunpack.js"); 

var results = webunpack.unpackFile("./tests/testhandlebarsvuln/dist/main.js", "./dbs/signaturesdbfiltered.json");

console.dir(results);

The output should be the list of vulnerable modules identified in the packed file:

[ { name: 'handlebars',
    version: '4.3.2',
    vulnerable: 'https://npmjs.com/advisories/1325' },
  { name: 'handlebars',
    version: '4.4.1',
    vulnerable: 'https://npmjs.com/advisories/1325' },
  { name: 'handlebars',
    version: '4.2.2',
    vulnerable: 'https://npmjs.com/advisories/1164' } ]

API documentation


  • webunpack.unpackFile(packedfile, signaturesdb, mostrelevantmodule = false);
  • webunpack.unpackString(packedstring, signaturesdb, mostrelevantmodule = false);
    the last parameter if set to true imply that only the most relevant vulnerable module will be displayed.
  • webunpack.fetchVulnerabilities();
  • webunpack.createSignatures(vulnerablemodulesfile, signaturesdb);
  • webunpack.updateSignatures(vulnerablemodulesfile, signaturesdb);
  • webunpack.signaturesdbFilter(signaturesdb);

How it works?

For the moment the only source of npm vulnerable modules is https://npmjs.com/advisories/
For each vulnerable version of a module, createSignatures() method will compute a hash of each function.
Then unpackFile() method will compute the hash of each of the function inside a packed file and compare it to the ones in a signatures database.

Faq

Here