sourcemap file disclosure vulnerability

Language 2023-04-17 03:49:52 views: null

When performing penetration testing recently, I often encountered xray scanning out sourcemap files, and Baidu was required every time I scanned them, so I made a note.

Vulnerability principle

During daily testing, you often encounter files with the suffix js.map.
This is a new feature in jQuery that supports Source Map.
Many sites packaged by Webpack will have js.map files.
The front-end code can be restored to find the API through sourcemap , indirect acquisition of unauthorized access vulnerabilities

What is a Source map
Simply put, a Source map is an information file that stores location information. Each position of the code after conversion corresponds to the position before conversion.
With it, when an error occurs, the debugging tool will directly display the original code instead of the converted code, which undoubtedly brings great convenience to developers.

Vulnerability recurrence

Use xray to scan dirscan/sourcemap/default vulnerabilities.
insert image description here
The direct access link can be downloaded in the sourcemap file, and the reverse-sourcemap tool is required to restore the source code using this file.
First install: nodejs,
download address: https://nodejs.org/zh-cn/download/Choose
the version suitable for your operating system:
insert image description here
double-click the downloaded file, click next all the way to successfully install
insert image description here
After installing nodejs, the console enter:

npm -v

You can view the installed version.
insert image description here
Then install reverse-sourcemap

npm install --global reverse-sourcemap

The installation is complete (PS: I already have reverse-sourcemap in my computer, so if you see information for the first installation, it may be different from mine).
insert image description here

After the installation is complete, add it to the environment variable
insert image description here
to check whether the installation is successful:

reverse-sourcemap -h

The installation is successful
insert image description here
and the map file is restored

reverse-sourcemap -v ****.js.map -o output

The map file will be restored to the output file

At the same time, you can also view the front-end source code through the browser, developer mode-source module
insert image description here

Bug fixes

The temporary solution is to delete the .map file in the code directory;
the permanent solution is to disable the function of generating map files during build;
add the following configuration to the build.js file under scripts/build:
process.env.GENERATE_SOURCEMAP = 'false';
Rebuild will no longer generate sourcemap files

Reference link: https://cloud.tencent.com/developer/article/1981398

Guess you like

Origin blog.csdn.net/u011975363/article/details/125694154
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com