How to look for JS files Vulnerability for fun and profit?

Hey Folks, It’s been a while I was away from Bug Hunting. These days I got some chances to focus on hunting again. So, I decided to hunt on hackerOne as I have got some private invitations there.

In the meantime, I choose an old private program xyz.com. Good to mention that the program main domain only is in scope, not any subdomains or mobile apps. seems tough? As it already raped by many researchers in 3 years long period and after a few hours of surfing around came out nothing. I decided to look into the JS files.

Trying to get Deep Inside

You may already have known about LinkFinder. It’s a tool to discover JS endpoints which is written by GerbenJavado. You can find it here, LinkFinder. For me, it came out nothing useful this time.

Running Linkfinder against the target
OutPut Result of LinkFinder

Automated tools don’t come out useful at this time. One thing left that is manual testing. I start digging with the source code which has .js files. Most of the site you can find common main.js and app.js files. I took both of these and after purifying those messy js files I found nothing useful. Here is an online tool that I mostly use to beautify js files https://www.prettifyjs.net. Then you can take it to notepad for better analysis.

Beautify the js files

In the next steps, I start looking for each and every js files after each request made. Like signup/profile information, update any information, and after placing a bid. Keeping eyes on that I created a new company account and noticed that there is a path declaring under a js file like this,

//# sourceMappingURL=app.js.map

The URL that I have found on previously while digging main.js file. It contains the site dist directory where the file has been hosted. Something like this,

https://xyz.com/dist/main.js

In place bidding and newly created company profile request, I found js files, which path was declared to,

//# sourceMappingURL=seller-join.js.map//# sourceMappingURL=done.js.map

Finally, I replaced the MappingURL with the main domain link,

https://xyz.com/dist/seller-join.js.maphttps://xyz.com/dist/company-account/done.js.map

I was able to download both files and those .js file contains newly created company profile information and the user who place bid recently.

download information

After confirming the vulnerability I filled a report to the program. Between 3 hours this issue was fixed and awarded by the team.

proof

Few things to mention,

keep your eyes open and try to understand what actually happens behind the request. use some sort of keywords like username, userID, email, token, auth_key, password, credentials on .js files. If you’re lucky enough you can find juicy information using those keywords under a .js files. You can use well known JSON Beautifier burp extension which is available on burp store. https://portswigger.net/bappstore/309ef28d45ff4f19bedfed3896cb3ca9

Thanks for reading! Yeasir Arafat

Entrepreneur || Synack Red Team Member.

Entrepreneur || Synack Red Team Member.