.png)
8 months ago
69 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Everyone,
Hope you’re all doing well, today we’re going to talk about JavaScript in penetration testing (bug-hunting) and how to find vulnerabilities in JS files manually and automatically. To start, let’s understand JavaScript.
Some Key Aspects Of JavaScript’s Significance In Web Development:
1. Interactivity: JavaScript is like the magic wand that makes web pages fun to use. It lets developers create things like cool image slideshows, pop-up boxes, and tooltips. You can click on stuff, and it responds without reloading the whole page.
2. Dynamic Content: Think of JavaScript as the secret sauce for real-time updates. It helps web pages show you the latest information without making you wait for the whole page to load again. This is handy for things like live social media feeds or chat, making the page feel quick and responsive.
3. Form Validation: Ever filled out a web form and gotten frustrated when you hit “submit” and it yells at you for missing something? JavaScript helps check your inputs as you type, so you get a heads-up if you make a mistake. That way, you’re less likely to submit incorrect info or forget something important.
It is now clear that JavaScript is widely used in a number of places throughout the company. Security professionals are always seeking to find loopholes in systems or particular technologies, break down the flow of applications, discover public exploits, and all those kinds of things we used to do on ourselves. So, let me just take a closer look at how JavaScript can be used in our penetration testing process in order to identify some significant opportunities for exploitation. Let’s talk about our JavaScript needs, including both manual and automated methods for gathering it, and utilizing tools to identify any potential vulnerabilities.
What We Are Looking in JavaScript:
New Endpoints and parametersSensitive Information (API key, authorization or tokens, leaked credentials, AWS and oauth secrets etc.)Sometime hidden feature which application not using at that timeHidden or internal portal/subdomainsManual Checking JavaScript:
In your web browser, right-click on the web page and select “View Page Source” or “Inspect.” This will open the developer tools, and you can navigate through the HTML source code. Look for JavaScript references within the HTML file, which are often included using <script> tags. You can click on these references to view the JavaScript code.
On occasion, developers inadvertently include sensitive data such as passwords or API keys directly within client-side JavaScript code. Detecting this information within the JavaScript code does not necessarily demand an extensive background in JavaScript programming, nor does it necessitate many years of experience.
Extracting JavaScript File With Burp Suite:
Make sure you set up your burp proxy and keep it running in background. Take a deep dive into your target, thoroughly examining all its features and endpoints. Once you’re done, head over to the proxy tab and configure the filters as shown below to capture all the JavaScript files. Don’t forget to copy all the results and save them in a file called “link.txt”.
Run below code in your kali machine or terminal to download the all “.js” file in your system.
Command: wget -P jsfiles -i link.txt
wget command, which can retrieve files from the web using HTTP and FTP protocols.-P option specify a different directory to save the files.-i option, which specifies a file that contains a list of URLs to download.After you can visit one by one file and check this all keywords manually “api key, api_key, password, secret, token, access, pwd, url, config, aws, s3” etc. Feel free to check out the GitHub repository below for additional examples of regular expressions:
https://github.com/l4yton/RegHex?source=post_page-----c95a8aa7037a--------------------------------
If you find any sensitive token or key then you can use this below repository to take your exploitation part further.
https://github.com/streaak/keyhacks
Extracting JavaScript File With Tools:
Required Tools — install these tools in your kali or system, you will get all repo and installation links below:
Gau: https://github.com/lc/gauWaybackurls: https://github.com/tomnomnom/waybackurlsHttpx: https://github.com/projectdiscovery/httpxSubjs: https://github.com/lc/subjsNuclei: https://github.com/projectdiscovery/nucleiSave this code in bash file at your system, here “target.txt” contain your target domains.
Here is explanation of each command:
cat target.txt | gau | grep ".js" | tee js.txtcat target.txt | waybackurls | grep ".js" | tee -a js.txt
This command reads the contents of the target.txt file, pipes it to the gau and waybackurls tool to extract URLs, pipes the output to grep to filter out only the URLs that contain .js, and finally pipes the output to tee to write the results to the js.txt file.
cat target.txt | subjs | httpx -mc 200 | tee -a js.txtThis command reads the contents of the target.txt file, pipes it to the subjs tool to extract JavaScript files, pipes the output to httpx to check the status code of each file, filters out only the files with a status code of 200, and finally pipes the output to tee to append the results to the js.txt file.
nuclei -l js.txt -t /root/nuclei-templates/http/exposures/ -o js_bugs.txtThis command uses the nuclei tool to scan the JavaScript files stored in the js.txt file for vulnerabilities using the templates located in the /root/nuclei-templates/http/exposures/ directory. The results of the scan are stored in a file named js_bugs.txt.
As above method we got “js.txt” which contain all JavaScript file, there is one tool in GitHub, the tool name is “Mantra”. A tool used to hunt down API key leaks in JS files and pages, you will find GitHub repository and installation steps in below link.
Mantra: https://github.com/MrEmpy/mantra
cat js.txt | MantraYou can use Secret finder to find sensitive endpoints and keys. Secret Finder is a python script based on Link Finder, written to discover sensitive data like apikeys, accesstoken, authorizations, jwt, etc. in JavaScript files. It does so by using jsbeautifier for python in combination with a fairly large regular expression. The regular expressions consist of four small regular expressions. These are responsible for finding and search anything on js files. you will find GitHub repository and installation steps in below link
Secret Finder : https://github.com/m4ll0k/SecretFinder
You can show the result in below screenshot.
JSFScan.sh
JSFScan.sh is tool which used for Automation for JavaScript recon in bug bounty. you will get this tool by this link https://github.com/KathanP19/JSFScan.sh It will extract JS files, extract some sensitive keyword, Endpoints, Secrets, Wordlist, Variable and more from the collected JS files. For more information of this tool, Refer this blog: https://kathanp19.medium.com/beginners-guide-on-how-you-can-use-javascript-in-bugbounty-492f6eb1f9ea
On the above screenshot, you can see our target domain jsfiles with endpoints, secrets, and more.
In this blog post we have covered some basic things that are essential while hunting on a target. However, when it comes to JavaScript files, there are many things that have not been covered in the post. Another tool that can be used to scan JavaScript files for secrets, URLs, and other revealing information is JS Miner, which is a Burp Suite extension. In addition, GetJS is a tool that can be used to extract .js files from a list of domains. Once the .js files are extracted, they can be searched for specific keywords to identify potential vulnerabilities.
This article aims to assist you in saving time during penetration testing and enhancing your comprehension of the significance of JavaScript in this field. We hope that this article will provide you with valuable insights on how to optimize your time during penetration testing and emphasize the crucial role of JavaScript in this context.
Thank you to everyone for reading!
Twitter: https://twitter.com/VivekGhinaiya
LinkedIn: https://www.linkedin.com/in/vivek-ghinaiya-b3b560202/
Bengali (Bangladesh) · 
English (United States) ·