.png)
1 month ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Friends,
This is a small post to explain how I was able to passively find secrets in javascript file.
I used a Burp Suite extension called jsluice++ which is available on Github.
After installing the extension just select the settings as shown below as this will notify you as soon as a secret if found in the javascript file.
(Bear in mind that like most extensions, this one does report false positives as well.)
After selecting the options set the scope in Burp Suite & start browsing the application. The extension will notify you as soon as an api key, password, token etc. is found in any javascript file belonging to the in-scope URL.
In my case I was able to find some sensitive information.
I checked to see if the AWS KEY & SECRET were exploitable but turned out that it had already expired.
So, I opened the javascript file & checked it manually. There were plenty of sensitive information disclosed like AWS KEY, AWS SECRET, App Versions, Internal Paths, Tokens etc.
Since I had no idea on how to exploit the rest of the information found in the file, I reported this to the program.
Although the file exposed a lot of values, only one value “VERCEL_TOKEN” caught their attention. They said that it is a cause for concern & that it should not be disclosed publicly.
I had submitted this finding as Critical but since only the VERCEL_TOKEN was exploitable, it was marked as High.
So, always submit a report even if you are unsure on how to exploit the information available in front of you. If it’s an honest program, you will be definitely rewarded.
Hope you guys come across Critical findings using this method.
Have a good day!! Keep hacking…. 😃
Disclaimer: This blog is for educational purpose only please do not engage in unauthorized testing.
Bengali (Bangladesh) · 
English (United States) ·