How I Discovered an Exposed API Access Token🔑 in a JavaScript File, Uncovering Sensitive Company Internal Data
Introduction
Hello hackers ,
Today, I’m going to walk you through how I managed to access company sensitive data stored in a 3rd party through API Access token by analyzing the client-side JavaScript code. I’ll also show you how I automated this process for future discoveries. So, let’s dive in!
Steps For Identifying And Exploitation
Step 1 (Reconnaissance)
- Subdomain enumeration Using tool subfinder
Subfinder -d Host.com | tee Domains.txt2. Filter the live hosts from the output of subfinder tool using HTTPX
httpx -l Domains.txt | tee Live_Hosts.txt3. Get all JavaScript files from the live hosts list using Katana
katana -u Live_Hosts.txt | grep ".js$" | tee Js_urls.txtStep 2 (Searching for any secrets in JavaScript URLs)
In this step I used a tool called Mantra
As it starts to crawl JavaScript URLs form a text file and search for any keywords like API,API KEY, Access Token, Password , Secret ,….. and more
cat Js_urls.txt | Mantra And I got this output
So I visited the JavaScript file associated to this token to see if it should be public to anyone or not.
And i found that its used to authenticate user to another 3rd party which holds company information about users ,roles ,emails ,ids and more through this curl command
curl -H "Authorization: apikey token=X" http://Host.com/usersAfter more search it turns out that i can perform this API Calles using this token-> Add New User, Delete User ,Reset Any User Password
So I reported it and it was validated as CRITCAL.
Thank you for appreciating the content! If you enjoy reading, you might follow me on LinkedIn
