BOOK THIS SPACE FOR AD
ARTICLE ADHello fellas,
I tested this methodology to look for “X-Client-key” header in every Javascript file within the target scope. So, for the sake of example, I will be using “X-Client-key”, https://example.com, and “Sessiond=989656” which is a cookie value that authenticates you as a user of example.com.
First, we want to get the Js files from all the different tools that we can find in Github, In this scenario we will be using: Katana and Gau.
gau https://example.com | grep “.js” > js.txt
katana -H “Cookie:session=989656 ” -u “https://example.com" | grep “.js” | anew js.txt
Please note that you can also provide a list of subdomains (subdomains.txt) using:
cat subdomains.txt | gau | grep “.js” > js.txt
Katana -l subdomains.txt -H “Cookie:session=989656 ” -u “https://example.com" | grep “.js” | anew js.txt
Now that we have javascript endpoints stored in a file called js.txt, we want to make sure to delete duplicates, this could be done like :
cat js.txt | sort | uniq -u > js1.txt
Then, we need to check if the endpoints actually still exist and return 200 ok status code with httpx:
cat js1.txt | httpx -mc 200 > 200js.txt
Also, we may want to delete the previous files or keep them for other testing, but the main thing is that you have now valid javascript endpoints stored in 200js.txt in a very nice format which could be passed as a standard input.
To look for “X-Client-key” within every javascript endpoint, I used Curl and bash to automate the flow:
For URL in $(</User/Desktop/200js.txt); do ( curl “${URL}” | grep “X-Client-key” ); done
This will allow curl to make a GET requests to the javascript endpoints, and it will display X-Client-key (if found ).
Happy Hunting ;)