Analyzing JavaScript Files for Bug Bounty Hunters

Geek Culture
Published in
3 min readApr 13, 2021

What is JS?

Javascript is a client-side object-oriented scripting language. In essence, this has several meanings:

  • Client-side, it runs on the computer of the client (victim)
  • Object-oriented (Programming term)
  • Scripting language, this means cross-site scripting is also possible

Developers have used this over the years to make static websites a bit more interactive and beautiful with things like javascript image carrousels but also XHR requests and AJAX requests to the backend server to automatically fill in a page. Javascript can do many things and for this reason it’s of interest to us.

We can either analyze a javascript file statically (not running it) and dynamically (debugging or running it). We will mostly focus on static analysis here.

What does a JS file contain?

Besides the regular cross site scripting sinks (locations where our XSS attack vector is reflected in the JS) we can also find several other juicy secrets in there that we can use.

These secrets can contain but are not limited to:

  • New endpoints, one time i found a whole list of endpoints in the comments
  • Hidden parameters
  • API keys, sometimes they are supposed to be public though, so be careful with these. Verify the impact before you report!
  • Business logic, which we might be able to abuse like client side calculations of prizes
  • Secrets/passwords
  • Potentially dangerous areas in the javascript code such as eval() or setinnerhtml(). These are DOM sinks and can lead to DOM XSS

Attack strategy

For our attack stragey we first need to gather all the javascript files from a website. We have several options to do this automatically for us or we can look in the HTML source code manually but this will not catch all the JS files as some files might be called nested (a JS file called from inside another JS file), these would not show up in our initial manual scan.


For our automatic scan we will want to use burp filters later on to explore all of our javascript files. To do this:

Geek Culture

No b*llshit Hacking tutorials with extreme value in short bursts