Burp Suite User Forum

Create new post

Vulnerable Javascript Dependency

Faraz | Last updated: Aug 23, 2022 11:35AM UTC

I need to inform that Burpsuite was not able to find the Momentjs vulnerability related to CVE-2022-31129 and CVE-2022-24785 in scans. Let me know if the said signatures are added in the burpsuite (in which versions). Need a conformation that for vulnerable libraries, does burpsuite add signatures for all JS vulnerabilities? Regards,

Faraz | Last updated: Aug 23, 2022 11:36AM UTC

Burpsuite professional is deployed for the scanning purposes.

Hannah, PortSwigger Agent | Last updated: Aug 23, 2022 02:01PM UTC

Hi Burp's vulnerable JavaScript dependency checks are based on the RetireJS repository here: https://retirejs.github.io/retire.js/ This is updated regularly. CVE-2022-24785 should be covered by this. However, it does not look like there is a check present for CVE-2022-31129 You can add your own custom scan checks using extensions. You might find "Burp Bounty, Scan Check Builder" to be helpful. You can find this extension in the BApp Store within Burp (Extender > BApp Store).

Adam | Last updated: Mar 13, 2024 08:40PM UTC

Hi - I see there is a Pro extension called "Retire.js" that was last updated in December of 2021. Does this add any functionality for detecting vulnerable JavaScript dependencies beyond what Burp already has? My company uses both Burp Pro and Enterprise, and both regularly report vulnerable JS dependencies, however we've recently noted that MathJax doesn't seem to be among the libraries checked. I'm wondering if there's an easy way to get it added to the checks beyond writing a custom extension.

Hannah, PortSwigger Agent | Last updated: Mar 14, 2024 11:18AM UTC

Hi Both the extension and Burp's native scan checks are based on the retire.js repository. It doesn't look like MathJax is recorded as a vulnerable JavaScript dependency in the retire.js repository. If you think that this library should be included, you may be able to raise it as an issue or a pull request on the retire.js repository: https://github.com/RetireJS/retire.js

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.