How to look for JS files Vulnerability for fun and profit?

Yeasir Arafat
Aug 27, 2019 · 3 min read

Hey Folks, It’s been a while I was away from Bug Hunting. These days I got some chances to focus on hunting again. So, I decided to hunt on hackerOne as I have got some private invitations there.

In the meantime, I choose an old private program xyz.com. Good to mention that the program main domain only is in scope, not any subdomains or mobile apps. seems tough? As it already raped by many researchers in 3 years long period and after a few hours of surfing around came out nothing. I decided to look into the JS files.

Image for post
Image for post
Trying to get Deep Inside

You may already have known about LinkFinder. It’s a tool to discover JS endpoints which is written by GerbenJavado. You can find it here, LinkFinder. For me, it came out nothing useful this time.

Image for post
Image for post
Running Linkfinder against the target
Image for post
Image for post
OutPut Result of LinkFinder

Automated tools don’t come out useful at this time. One thing left that is manual testing. I start digging with the source code which has .js files. Most of the site you can find common main.js and app.js files. I took both of these and after purifying those messy js files I found nothing useful. Here is an online tool that I mostly use to beautify js files https://www.prettifyjs.net. Then you can take it to notepad for better analysis.

Image for post
Image for post
Beautify the js files

In the next steps, I start looking for each and every js files after each request made. Like signup/profile information, update any information, and after placing a bid. Keeping eyes on that I created a new company account and noticed that there is a path declaring under a js file like this,

//# sourceMappingURL=app.js.map

The URL that I have found on previously while digging main.js file. It contains the site dist directory where the file has been hosted. Something like this,

https://xyz.com/dist/main.js

In place bidding and newly created company profile request, I found js files, which path was declared to,

//# sourceMappingURL=seller-join.js.map//# sourceMappingURL=done.js.map

Finally, I replaced the MappingURL with the main domain link,

https://xyz.com/dist/seller-join.js.maphttps://xyz.com/dist/company-account/done.js.map

I was able to download both files and those .js file contains newly created company profile information and the user who place bid recently.

Image for post
Image for post
download information

After confirming the vulnerability I filled a report to the program. Between 3 hours this issue was fixed and awarded by the team.

Image for post
Image for post
proof

Few things to mention,

keep your eyes open and try to understand what actually happens behind the request. use some sort of keywords like username, userID, email, token, auth_key, password, credentials on .js files. If you’re lucky enough you can find juicy information using those keywords under a .js files. You can use well known JSON Beautifier burp extension which is available on burp store. https://portswigger.net/bappstore/309ef28d45ff4f19bedfed3896cb3ca9

Thanks for reading! Yeasir Arafat

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store