> A recon tool for security purposes > Find the modules packed (bundles) with webpack.js
npm install webunpack.js---
shell
npm install --global webpack
npm install --global webpack-cli
`CLI example
Download the latest release of webunpack.
To display the help:
shell
node webpack.js
`To fetch the list of vulnerable npm modules:
shell
node webunpack.js getvulns > vulnerablemodules.txt
`To create a signatures database from vulnerable npm modules:
(warning: creation of database could take several days it is recommended to use precomputed database in dbs folder)
shell
node webunpack.js createdb vulnerablemodules.txt ./dbs/signaturesdb.json
`To update a signatures database from vulnerable npm modules:
shell
node webunpack.js updatedb vulnerablemodules.txt ./dbs/signaturesdb.json
`To filter signatures/remove duplicate signatures shared between modules:
shell
cp ./dbs/signaturesdb.json ./dbs/signaturesdbfiltered.json
node webunpack.js filterdb vulnerablemodules.txt ./dbs/signaturesdbfiltered.json
`To retrieve vulnerable npm modules from a packed file:
shell
node webunpack.js unpack ./dbs/signaturesdbfiltered.json ./tests/testhandlebarsvuln/dist/main.js
`API example
Update your package.json to use webunpack:
javascript
{
"name": "test",
"version": "0.0.1",
"license": "MIT",
"dependencies": {
"webunpack.js": "^0.0.2"
}
}`
Unpack a file with unpackFile method:
javascript
var webunpack = require("webunpack.js"); var results = webunpack.unpackFile("./tests/testhandlebarsvuln/dist/main.js", "./dbs/signaturesdbfiltered.json");
console.dir(results);
`
The output should be the list of vulnerable modules identified in the packed file:javascript
[ { name: 'handlebars',
version: '4.3.2',
vulnerable: 'https://npmjs.com/advisories/1325' },
{ name: 'handlebars',
version: '4.4.1',
vulnerable: 'https://npmjs.com/advisories/1325' },
{ name: 'handlebars',
version: '4.2.2',
vulnerable: 'https://npmjs.com/advisories/1164' } ]
``