.png)
3 years ago
328 BOOK THIS SPACE FOR AD
ARTICLE ADHi readers, hope you are doing well. This is my first medium article which explains how to actually perform a static analysis on JavaScript file(s) from a Bug Hunters perspective.
Static analysis of JavaScript files is usually used for debugging purposes, but it also provides a great value to a Bug Hunter/Security researcher, and Here’s the best part, you don’t need to master JavaScript to do static analysis, if you understand the basics you are good to go. So Let’s get right into it.
Although it may sound obvious but it’s a crucial part in analyzing. I will go over two methods to do this.
Manually spider website using Burpsuite:First set up a burp proxy server and start capturing requests
Note: you can disable the “intercept requests based on the following rules” option in Proxy>Options with this you won’t have to click “send” for every request.
Now go to every directory(use a directory fuzzer), every page, and test the waters. Then go to your Proxy tab in burpsuite Proxy>HTTP history and enable “Filter by file extension” option.
Now copy all the URLs or if you have burpsuite pro you can use the “export” option go to Target>site map (right click on url)>engagement tools>find scripts
2. Using waybackurls tool:
Installation-
root@kali$go get https://github.com/tomnomnom/waybackurls
You can use the following command to extract files.
root@kali$waybackurls example.com | grep “\.js” | uniq | sort
Note: It might give false positives so you can use the following code to remove false positives
root@kali$cat url_list.txt | parallel -j50 -q curl -w ‘Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n’ -o /dev/null -sk
After completing step1 you will have quite a few JavaScript files, these are usually obfuscated which basically transform your code to make it hard to steal or copy, to convert the obfuscated code we need to de-obfuscate it which you can do with the following tools.
JS BeautifierJStilleryJSDetoxIlluminateJsJSNiceNow that we have readable JavaScript files we can analyze it. What i usually look for are endpoints, hard coded passwords, API keys, outdated frameworks, and potential dangerous code. Doing this process manually is tiresome, so here are a few tools to make it easier.
Looking for endpoints i.e., full URLs, relative paths you can use relative-url-extractor by Jobert Abma and LinkFinder by Gerben Javado.For extracting passwords & API keys DumpsterDiver, Repo-supervisor and truffleHog are some of the awesome tools for regex search and entropy search, you can also use grep, awk, and sed.Identify dangerous code-such as usage of innerHTML might suggest possible XSS, another equivalent code is dangerouslySetInnerHTML in react framework.Improper usage of bypassSecurityTrustX methods in angular may lead to XSS.Note: X in bypassSecurityTrustX can be Html, Script, Style, URL, ResourseUrl
Improper use of eval function.postMessage API may bypass SOP(Same Origin Policy), On message sender side look for window.postMessage and on receiver side look for window.addEventListenerNote: A lot of frameworks use wrappers around postMessage
4. Using security Linters & static security scanners-
JSPrime is a static analysis tool for finding security issues in JavaScript code but the project hasn’t been updated in a while.ESLint is one of the most popular JavaScript linters.Retire.js is a tool that can identify outdated JavaScript frameworks in use. This tool can be used as a stand alone tool, browser extension, grunt plugin or Burp/ZAP extension.
Bengali (Bangladesh) · 
English (United States) ·