Weird JavaScript files

Hello Hacker, In this writeup I am going to explain the importance of looking JS files on the website, some tools that I preferred and also I am going to discuss one of my finding in this writeup. So let’s get started.

Why to look at JS files?

Javascript is a something like the engine in the car so it is holding so much details then you can find anywhere. In js, you can understand how the logic of the website works, sometimes finds a hardcoded gems like apikeys, database credentials, admin panel passwords and many more things. I know when we look or open js files it looks so weird and we generally starts running ffuf, dirsearch or wfuzz and increase traffic on the website I generally prefer google dorking or analyzing the js file if available in the source code and if I don’t find anything then I go with directory fuzzing tools.

Which tools I prefer to look js files?

Trufflehog: This extension is comes in both google and firefox and this is used to find some sensitive api keys, .git files, config files, secret keys and all that stuffs. Truly says by using this tool and reporting many bugs like api keys, .git files all are closed as NA or informative or Duplicate so I don’t know is it best to use this tool everytime or not but still I am using this tool and now I am not reporting any bugs like api key or something similar which are found by this tool unless I can prove the real impact.Linkfinder: I personally like this tool because this tool gives you all the paths or directories stored in js files in a very organized way in your browser and I like this tool because this tool also helped me to find a vulnerability. I will discuss vulnerability later. To download and use this tool is very easy you can use this tool here is the link 👇

3. JSA: Actually I never used this tool but I heard or read somewhere that this tool is also used for analyzing Js files so that I am adding this tool and I will use this tools in my upcoming testing also. Link here 👇

Bug Discovery?

During testing one of the big company I found a subdomain like discuss.xyz.com and when I visit the page I can see the welcome page only nothing special or no features, only welcome message in the middle. So I thought to run ffuf and dirsearch but sadly I don’t find any interesting things all the paths are 404 or 403 and at the end I got nothing 🥺. So I didn’t leave this as it is and I research more things and I find-out the tool Linkfinder to extract the hidden paths or directories from the js files. So I use this tool and guess what? where the ffuf and dirsearch fails where this tools give me some directories like /movies , /sip and /notifications. After analyzing all this endpoint /movies and /notifications endpoint give nothing only blank page and /sip page disclose users information like users real name, their profile pictures, their discussion about sip’s like to change the plan, or to close the sip, or to know more about their current sip and there are 3 mentors who are giving reply back to all the questions and so on lots of live data I found. Now I search for this app firstly like is this things is meant to be publicly accessible or not? And after research I got to know the person who are verified or done kyc and have started their daily sip then only the particular person is only authorized to join this community and I feel like I found a valid bug 🤗. There are still more feature at this endpoint like, likes someone comment, or we can comment to any question and also we can edit or delete our comment but sadly all things needs the proper authorization token and I am unable to get that 😶. But still this is a valid P4 bug because it only affects confidentiality I guess.

Impact:

An attacker can have an unauthorized access to read the message of legitimate users with their real name, profile photos and according to users query an attacker can even guess what type of sips does user hold.

Mitigation:

Owner should make proper authorization checks so that the confidentiality of users can be secured in proper way.

Report Status:

Sadly, I submitted this report on Nov, 2024 but still waiting for their response till now no response from company and bug is still not fixed. Hope they will respond me 🤞

Lesson Learned?

Don’t just relay on directory fuzzing tools only, also used js file enumerations to find more paths or hidden paths to directly access it.

Anyways hope for the best and just move on and I wanted to tell you to also use Linkfinder or JSA because no wordlist contains /sip, /movie endpoint and if any wordlist contains this words then fear of 429 (Too many request) and it will take more time as compared with js files enumerations. So be creative and just move on and learn something new. Thank you for reading I will see you in next one 👋