BOOK THIS SPACE FOR AD
ARTICLE ADHardcoded secrets are something that I find most frequently. In a recent case, I found credentials for an internal admin dashboard that had access to a huge amount of user PII and account controls. A lot of times there are test tokens and API keys that are hardcoded and still work.
In my experience, the best place to find these are in React and Angular applications. Many people seem to ignore them because of how intimidating they may look, for example:
This looks like a tonne of gibberish because it is minified and obfuscated, but in reality, is a gold mine for bug hunters.
But first, a few tips for finding them:
React, Angular and Vue are Javascript frameworks mostly used for building Single Page Applications.If you view-source you will see a very small source code, and a few Javascript files at the end, with names like pollyfills-<random — characters>.js or main-<random-characters>.js then that is probably a website built using one of these frameworksAnother way to find these are by using Nuclei’s tech detect modules and looking for Angular, React, or VueYou will also find such Javascript files at /app.js and by using tools like waybackurls. Just Google it, there are tonnes of tools to find js filesOnce I have found these, the next step is to find secrets from them. For this, I use a tool I wrote called JS-Secret-Finder. It fetches the Javascript files, and then uses GF with some custom profiles to automatically scan the file for secrets.
The way I use it is this:
echo <javascript_url> | ./js_secret_finder.shThe best part about this is that since it uses GF under the hood, you can quickly write custom GF profiles to look for anything that is missing.
Another great part about Javascript files (especially the ones from these frameworks) is that they have a huge number of endpoints and links. Many of these endpoints are company-specific and not something you would find in a random wordlist. It is a good idea to create custom, company-specific wordlists, and these files are a great way to build them. The way I do it is by using LinkFinder to store all endpoints from multiple Javascript files in a wordlist.
python3 ~/tools/LinkFinder/linkfinder.py -d -i “https://target.com/app.js" -o cli | anew wordlist.txtThen I use this custom wordlist across all assets of the company. It really is a super simple and highly effective way of finding hidden endpoints and admin panels in applications. And since developers are lazy and tend to reuse stuff, you will find the same issue in multiple assets!
Once that is done, I try to manually look through the Javascript file to see if there is anything interesting. But of course, the file we saw earlier is not very readable. For prettifying it, I use Prettier.io to get a more readable code. There are also command-line tools like jsbeautifier and you can really use whatever works for you best!
And that is mostly what my process is for hunting secrets in Javascript files! There is more to be done though; for example, my processes for identifying business logic issues and harmful DOM sinks from Javascript files are not very fleshed out, and I will really appreciate some suggestions to learn those!