Page 62 - Hands-On Bug Hunting for Penetration Testers
P. 62
Preparing for an Engagement Chapter 3
Building a Process
If we think about how to build processes the Unix way, with small scripts responsible for
single concerns, chained together into more complex workflows (all built on the common
foundation of plain text) it makes sense to boil down our automated reconnaissance tools
into the smallest reusable parts.
One part is that wrapper script we just wrote, TDBOKT TI. This script scans the client-side
code of a website (currently from a repo) and compiles a report in KTPO, which it both saves
and displays.
Formatting the JS Report
But to make better sense of that KTPO, we need to format it in a way that pulls out the
critical info (for example, severity, description, and location) while leaving out noise (for
example, dependency graphs). Let's use Python, which is great for string manipulation and
general data munging, to write a script that formats that KTPO into a plain text report. We'll
call the script GPSNBUKT QZ to associate it with our other tool. The first thing we need to do
is pull in KTPO from 45%*/ and encode it as a Python data structure:
#!/usr/bin/env python2.7
import sys, json
data = json.load(sys.stdin)
Our goal is to create a table to display the data from the report, covering the TFWFSJUZ,
TVNNBSZ, JOGP, and GJMF attributes for each vulnerability.
We'll be using a simple Python table library, UBCVMBUF (which you can install via QJQ
JOTUBMM UBCVMBUF). As per the UBCVMBUF docs, you can create a table using a nested list,
where the inner list contains the values of an individual table row. We're going to iterate
over the different files analyzed, iterate over each vulnerability, and process their attributes
into SPX lists that we'll collect in our SPXT nested list:
rows = []
for item in data:
for vulnerability in item['results'][0]['vulnerabilities']:
vulnerability['file'] = item.get('file', 'N/A')
row = format_bug(vulnerability)
rows.append(row)
[ 47 ]
