Preparing for an Engagement                                                 Chapter 3

            Source Code

            Source-code analysis is typically thought of as something that only takes place in a white
            box, an internal testing scenario, either as part of an automated build chain or as a manual
            review. But analyzing client-side code available to the browser is also an effective way of
            looking for vulnerabilities as an outside researcher.

            We're specifically going to look at SFUJSF (Retire.js), a node module that has both Node
            and CLI components, and analyzes client-side JavaScript and Node modules for
            previously-reported vulnerabilities. You can install it easily using OQN and then using the
            global flag ( H) to make it accessible in your  1"5): OQN JOTUBMM  H SFUJSF. Reporting
            a bug that may have been discovered in a vendor's software, but still requires
            addressing/patching in a company's web application, will often merit a reward. The easy-
            to-use CLI of SFUJSF makes it simple to write short, purpose-driven scripts in the Unix
            style. We'll be using it to elaborate on a general philosophy of pentesting automation.

            SFUJSF   IFMQ shows you the general contour of functionality:




















            Let's test it against an old project of mine written in Angular and node:

                retire --path ~/Code/Essences/demo















                                                    [ 45 ]