Shulou(Shulou.com)05/31 Report--

This article shows you how to use the leaked NPM_TOKEN to access the project's private repository. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can gain something from the detailed introduction of this article.

The following describes how the author found NPM_TOKEN and private repository links in the JS script of the target site, and then used the NPM_TOKEN, combined with the.npmrc format request, to access the private repository of the NPM project related to the target site.

discovery process

Recently, I chose a vulnerability testing program with relatively high processing efficiency and payment rewards, hoping to find some high-risk vulnerabilities from it. I tried template injection at the target site first, then IDOR again, and nothing. So, I downloaded JS files from the target site to see if I could find some information leakage problems.

First, I use BURP Suite pro to extract and download the JS files of the target site into one file, which is not too intuitive and friendly, and then I use the following script to separate them into separate files:

cat urls.txt | xargs -I{} wget "{}"# Assuming urls are clean i.e. they don't have any extra parameters in the end# if the url is like this : https://storage.googleapis.com/workbox-cdn/releases/5.1.2/workbox-cacheable-response.prod.js? v=123122# Then you need to cut the part after '? ' like the followingcat urls.txt | cut -d"? " -f1 | xargs -I{} wget "{}"

Tomnomnom's code pattern conversion tool gf comes in handy here. Using gf plus file path, I found a leaked IP address from the JS script above: http://172.x.x.x. In its context information, I found another NPM_TOKEN value, but how to use this NPM_TOKEN? I'm a little confused. NMP is rarely used, only known as the Node package manager.

After some research, I have the following understanding of the NPM_TOKEN value:

1. In some Continuous Integration systems, such as Jenkins pipelines or Travis CI, the NPM_TOKEN value will be used in Web application development deployment in automation mode. With NPM_TOKEN, you can access some NPM private repositories of the project.

2. Different types of NPM_TOKEN have different permissions, such as Read and publish only, Readonly, CIDR whitelisting, etc.

Use NPM_TOKEN in the following.npmrc format:

registry=https://registry_link_here//registry_link_here/:_authToken=auth_token_here

So I tried to test it in the following.npmrc format:

registry=https://registry.npmjs.org//registry.npmjs.org/:_authToken=auth_token_here

Test Day 1-In this utilization mode, if NPM_TOKEN is active, execute npm whoami command and receive a response. Unfortunately, there was no response. Also, there are articles that say NPM_TOKEN in.npmrc format is an encrypted string.

The next day of testing-it was nearly 8 p.m. when I got home from work, and I continued testing this NPM_TOKEN. I remembered that I read some articles about Cross-Site Websocket Hijacking (CSWHs) earlier this year, Cross Site Websocket Hijacking, so I combined them with some analysis. CSWM takes advantage of the condition that websockets only use cookies to communicate, which is a bit like a Cross-Site Request Forgery (CSRF) attack. CSWHs are also covered in BURP exercises:

Next, I wanted to see if I could find some websocket information in the JS script I obtained earlier, but nothing. Later, I found that when the client requests, the server generates a nonce value assigned, and after testing, I found that it can be used to implement CSRF attacks. In this way, CSRF vulnerabilities were discovered in the process of looking for CSWHs. So I reported it, and I'll explain it in another blog post.

Day 3-After two hours of analysis, I found one of the JS script files interesting and could regularize its code in three steps. Code regularization in Firefox:

Regularization of code in Chrome:

The file has nearly 17k lines, mostly webpack code, and after careful analysis, we found another NPM_TOKEN value:

There is also a private registry link nearby:

I thought, then this registration link will not be a link to its private repository, so I added the found NPM_TOKEN value, using the following.npmrc method to make a request:

registry=https://private_registry_link_here//private_registry_link_here/:_authToken=auth_token_here

Execute npm whoami command, unexpectedly there is a successful response: srv-npm-registry-ci.

Then, I want to list all of its NPM package information, no. So, I found some clues to private repositories in the packaging information in its JS file, such as the following:

Therefore, I made a request for its private repository with the following command:

npm view private_repo

npm get private_repo

The response was as follows:

Using this method, I was able to download some private repositories for the target project and found some configuration class JS scripts and a lot of source code. The developer obviously doesn't have permission settings in the project. I reported the bug without further testing. The bug was classified the same day, and seven days later, I received an $8000 reward.

1. Hidden information can be found in some JS script files;

2, to learn to use the browser developer tools, their functions beyond imagination;

3. Keep testing tools updated;

4. Persistence is key.

The above is how to use the leaked NPM_TOKEN to access the project private repository. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.