This is another bug bounty automation blog explaining my thought process for crawling and enumerating JavaScript file. Modern web applications are heavily built on JavaScript. Starting from API calls to most business logics, many critical functionalities are built on client-side nowadays. It is just that if we are able to completely understand the client side logic of a target, then we will able to disclose some unique vulnerabilities.
There are lot of great open source tools specifically built for crawling and enumerating JavaScript files. Every bug hunting individual will have unique thought process in terms of approaching the target and that is what make everyone find different vulnerabilities. Since I have been exploring more on web application, I was wondering how to tweak existing methodologies. My thought process is what if I am able to automate my methodology according my requirement?
My requirement is to enumerate each end URL of website and get below details,(Example: https://example.com)
- Get all the links and JavaScript files existing under the given end URL.(Tool: hakrawler)
- Identify sensitive information in the given end URL and JavaScript files.(Tool: gf from Tomnomnom)
- Extract any subdomains hidden inside the JavaScript files.(Tool: JSFinder.py)
- Extract the relative and absolute path from JavaScript files.(Tool: jsa.py)
- Extract secrets and links from JavaScript files using JScanner. (Tool: JScanner.py)
- Finally, find hidden secrets using nuclei. (Tool: nuclei)
Note: All the tools outlined above are open source tools. We can use them at our own risk and not to hack others.
Github link:
Let me explain my approach with screenshots. I have given comments wherever required to make them easily understandable. Below screenshot shows how to extract only the FQDN value (domain name) from a given URL.
Get all the links and JavaScript files existing under the given end URL:
After extracting the domain value from the given URL, the value is passed to hakcrawler to crawl and extract all possible links and JavaScript files under the given path. The results are stored into “files_tmp.txt” temporarily and later refined such a way that the file contains only domain related values (grep -i “$domain”) in there.
Now, file name “files.txt” will contain the results.
Identify sensitive information in the given end URL and JavaScript files:
The screenshot given above shows the file called “gf_patterns”. There are multiple gf patterns created by Tomnomnom to identify the patterns inside a file. This tool is very useful when hunter would like to identify patterns such as looking for AWS_keys, firebase URL or details and so on. The great flexibility about gf tool is any bug bounty hunter will be able to create his/her pattern according their need.
As part of my script I have utilized only a part of the patterns such as
- awskeys- check for aws keys in JavaScript files
- firebase-check for firebase URLs in JavaScript files
- json_file-check for Json file in JavaScript files
- s3-buckets-check for aws s3 buckets in JavaScript files
- sec-check for secrets in JavaScript files
- ip-check for ip addresses in JavaScript files
- upload-fields-check for file upload fields in JavaScript files
gf_PATTERN() function will load each JS files using command line browser called curl and identify the patterns outlined above using tool called gf. By doing this, the hunter will be able to find some hidden information inside JavaScript files.
Extract any subdomains hidden inside the JavaScript files:
As a bug bounty hunter everyone knows how important it is to find a subdomain. Since modern applications will have communications with multiple internal domains, it is a good strategy to find out subdomains referred inside the JavaScript. Because, most of the time hidden sub domains will be always running and might lead to internal access to the target as well.
JSFinder.py is an open source tool which can extract the subdomains related to our main domain from all JavaScript files.
Extract the relative and absolute path from JavaScript files:
Content discovery is one of the most important tasks in bug bounty hunting as it might disclose some sensitive information, installation files, back up files and so on. Most of the time hunters will perform content discovery using pre-defined list. However, I would strongly suggest all to create a customized directory list according to the target. Because, the probability of success is higher as compared to general wordlist.
JavaScript files reside in the target will immensely help us a lot identify directory paths. Because, those path will be used regularly and the paths will be unique as per the target as well.
“jsa.py” tool helped me a lot find out hidden directory paths inside JavaScript files.
Extract secrets and links from JavaScript files using JScanner:
JavaScript files are considered as treasure in modern day web applications. Sometimes, developers might mistakenly leave some sensitive information such as API keys, data base connection details on client side script. Thus, it is imperative to look for secrets and sensitive information inside JavaScript files.
JScanner tool help us identify secrets and sensitive information from JavaScript files.
Find hidden secrets using nuclei:
As outline above, nuclei also does great job in identifying sensitive information from JavaScript files. This tool has lot of templates created by security researchers. I would recommend everyone to explore this tool.
I hope you have enjoyed the content.!!!
Since most of the hunters know what each tools do, I did not want to waste your time explaining the functionality of the tools. I have just explained my approach in bug hunting. Hope everyone finds their own way!!!
I would like to give credits to all security researchers who have created these tools.
Disclaimer: You shall not misuse this information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.
References:
If you like the content, please follow me on medium and LinkedIn
LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/