Bug Bounty Diaries #3

1 month ago 13

Hi guys! I’m back and before starting with the new blog I really wanna say THANK YOU to every follower, I’m glad to know that my blogs can be useful to some people. Again THANKS! ❤

Goal: Spend the next 3 hours learning JavaScript enumeration

JAVASCRIPT will be the topic of today!

JavaScript for hackers! Guys with this video I learn a lot of things and I hope you can learn something too!

JavaScript Enumeration!

JavaScript is a programming language that works in any browser, and over the years has taken an impressive importance as developers give functionality to web applications with this language!

Talk to the servers for example!

That’s why we have to enumerate each JS file and try to look for interesting things, and we might find passwords or even vulnerabilities in the code itself!

Tools for JavaScript enumeration:

Developer toolsBrowser (For this I like Chrome)BurpSuite (Use the PRO version if you can)Grep tool

If you know more tools that are useful for this task please let me know in the comments!

Why should I do this?

Thanks to the logic implemented on the client side we can further understand our targetWe could find secret things!We could find really serious bugs in the application!

That’s crazy, just imagine an admin password in the code!

Methodology

Try to get ALL JavaScript filesTry to make the code look clean and pretty (You can do this with the developer tools).Try searching for keywords (admin, password, api, /api, api_key)For dynamic analysis, you can use the developer tools and use breakpoints to better understand the code.

WOW! all this is amazing, it is super interesting to know the amount of things that can be done with JavaScript and that is why it is very important to make a good enumeration!

Resources:

If you wanna learn more!

https://www.hacker101.com/sessions/javascript_for_hackershttps://www.youtube.com/watch?v=-UPRQBQV5Lo&t=48shttps://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9https://ctf.hacker101.com/ctf (Practice)https://github.com/google/firing-range (More real practice, this is great!)

Guys, that’s it for today’s blog! I hope you find it useful, please don’t forget to follow me and thanks for your time!

Read Entire Article