What is JS?
- Client-side, it runs on the computer of the client (victim)
- Object-oriented (Programming term)
- Scripting language, this means cross-site scripting is also possible
What does a JS file contain?
Besides the regular cross site scripting sinks (locations where our XSS attack vector is reflected in the JS) we can also find several other juicy secrets in there that we can use.
These secrets can contain but are not limited to:
- New endpoints, one time i found a whole list of endpoints in the comments
- Hidden parameters
- API keys, sometimes they are supposed to be public though, so be careful with these. Verify the impact before you report! https://github.com/streaak/keyhacks
- Business logic, which we might be able to abuse like client side calculations of prizes
Using BURP SUITE
- Open burp
- Set your scope right
- Explore the site manually by clicking around
- Open the burp site map tab
- Click on the “Filter” Box
- Click on the “Script” checkbox and make sure it’s the only one active under “Mime type”
- Under “Filter by file extension” , click “Show only” and fill in JS in the box
If you have burp suite pro, you can also right click on your target in the site map and under the engagement tools you will the option to “Find scripts”. This will effectively do the same after exploring your target manually but the results will be displayed prettier.
Install waybackurls, using this tool we can also grep for any JS files that might not be linked anymore but still online.
go get github.com/tomnomnom/waybackurlswaybackurls google.com | grep "\\.js" | uniq | sort
Developers use a range of defense mechanisms to hold us off but that’s okay. We can get around those by being dilligent and making sure that we take our time.
- This is where developers will make it intenionally hard to read the code for humans but machines don’t have any problem reading this code. This is harder to decipher but with some dilligence it can be done.
- This is where the developers chops up the JS into little pieces that all reference eachother. Very annoying to get arround and it’s just hard work puzzling together the code
If we are trying to defeat these mechanisms it might help to set up a replica of you targets environment and to run the code statically.