When performing penetration testing recently, I often encountered xray scanning out sourcemap files, and Baidu was required every time I scanned them, so I made a note.
Vulnerability principle
During daily testing, you often encounter files with the suffix js.map.
This is a new feature in jQuery that supports Source Map.
Many sites packaged by Webpack will have js.map files.
The front-end code can be restored to find the API through sourcemap , indirect acquisition of unauthorized access vulnerabilities
What is a Source map
Simply put, a Source map is an information file that stores location information. Each position of the code after conversion corresponds to the position before conversion.
With it, when an error occurs, the debugging tool will directly display the original code instead of the converted code, which undoubtedly brings great convenience to developers.
Vulnerability recurrence
Use xray to scan dirscan/sourcemap/default vulnerabilities.
The direct access link can be downloaded in the sourcemap file, and the reverse-sourcemap tool is required to restore the source code using this file.
First install: nodejs,
download address: https://nodejs.org/zh-cn/download/Choose
the version suitable for your operating system:
double-click the downloaded file, click next all the way to successfully install
After installing nodejs, the console enter:
npm -v
You can view the installed version.
Then install reverse-sourcemap
npm install --global reverse-sourcemap
The installation is complete (PS: I already have reverse-sourcemap in my computer, so if you see information for the first installation, it may be different from mine).
After the installation is complete, add it to the environment variable
to check whether the installation is successful:
reverse-sourcemap -h
The installation is successful
and the map file is restored
reverse-sourcemap -v ****.js.map -o output
The map file will be restored to the output file
At the same time, you can also view the front-end source code through the browser, developer mode-source module
Bug fixes
The temporary solution is to delete the .map file in the code directory;
the permanent solution is to disable the function of generating map files during build;
add the following configuration to the build.js file under scripts/build:
process.env.GENERATE_SOURCEMAP = 'false';
Rebuild will no longer generate sourcemap files
Reference link: https://cloud.tencent.com/developer/article/1981398