Skip to content

tree-chtsec/burp-sourcemap-finder-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
build
build
 
 
images
images
 
 
src/main
src/main
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
compile.sh
compile.sh
 
 

Repository files navigation

Source Map F1nder

This extension is for Burp Suite, finding sourceMap when passive/active scanning.

Tested on Burp Pro v2020.9.2

Google Dork

inurl:js filetype:map

Screenshot

sample-image

Core Logic

phase I

Analyze .js file line by line. If //# sourceMappingURL=<Uri> exist, extracting the <Uri>.

Supported <Uri>:

  1. Absolute URL (http://...)

  2. Relative URL (xxx.js.map)

  3. Data Uri (data://...)

phase II

For URL, I will GET it first. If status code eq 200, trying to parse the response body as raw JSON.

For Data Uri, which often base64 encoded JSON data, I'll decode it as raw JSON.

phase III

For the sake of sourceMap is in the form of

{
    "version": 3,
    "sources": ["file1", "file2", "..."],
    "sourcesContent": ["file1-content", "file2-content", "..."],
    "mappings": "CAAA,SAAA, ...",
}

according to spec.html.

I display the sources part in Burp Tab currently. Any advices are welcome!!!

Build

$ chmod +x compile.sh
$ ./compile.sh
$ #output path: build/sourceMap.jar

Manual Installation Guide

  1. Download release sourceMap.jar

  2. Switch to Extender Tab, then "Add"

image1

  1. Press "select file..." and choose sourceMap.jar

image2

  1. select "Next", everything is okay

image3

External Library

  1. https://github.com/mitchhentges/json-parse
  2. https://github.com/ooxi/jdatauri

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 2

Release v1.1 Latest
Nov 8, 2020
+ 1 release

Packages

No packages published

Languages