Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoiding Lodash version disclosure #5829

Open
lokeshv12 opened this issue Mar 8, 2024 · 1 comment
Open

Avoiding Lodash version disclosure #5829

lokeshv12 opened this issue Mar 8, 2024 · 1 comment

Comments

@lokeshv12
Copy link

As documented at https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/version-disclosure-lodash/, Lodash makes its version accessible to the user through a browser's developer tools.

This is reproducible by adding a dependency on Lodash 4.17.21 in a skeleton Angular project.

I realize the difficulty in redacting this information since Lodash is a client-side Javascript utility library, but is there any way to configure Lodash to redact this information, or is it possible that it is not required and can be removed from Lodash?

How to test it?
Use console.log(.templateSettings.imports..templateSettings.imports._.VERSION); on the browser console
@ThiefMaster
Copy link

ThiefMaster commented Mar 26, 2024
edited

If you are in a situation, where you can read the version via devtools, you already have code execution privileges.
If you are doing recon on another website e.g. to find vulns, you can just guess the version based on the source code (yes, even if minified). Or just try to exploit the issues straight away.

So it makes absolutely no sense to try to hide the version of a client-side library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThiefMaster @lokeshv12