-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File name matcher does not work if script type attribute is after script src attribute #81
Comments
MasanoriOnuki
added a commit
to MasanoriOnuki/burp-retire-js
that referenced
this issue
Jun 14, 2024
MasanoriOnuki
added a commit
to MasanoriOnuki/burp-retire-js
that referenced
this issue
Jun 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The method ScannerFacade#findScriptUrl does not correctly extract only the
src
attribute value.It seems this method is intended to extract the value between the first quote in the
src
attribute and the last quote in thesrc
attribute.However, the method actually extracts the value between the first quote in the
src
attribute and the last quote in thescript
tag.For example, if the script tag is as below,
ScannerFacade#findScriptURL
returns/jquery-1.4.3,.min.js" type="text/javascript
.The file matcher works on the substring after the last slash of the extracted value, so in this case, it processes
javascript
.Therefore, the library with vulnerabilities
jquery-1.4.3.min.js
is not detected.The text was updated successfully, but these errors were encountered: