Analyzing JavaScript Files for Bug Bounty Hunters

Thexssrat
Thexssrat
Apr 13 · 3 min read

What is JS?

Javascript is a client-side object-oriented scripting language. In essence, this has several meanings:

  • Client-side, it runs on the computer of the client (victim)
  • Object-oriented (Programming term)
  • Scripting language, this means cross-site scripting is also possible

Developers have used this over the years to make static websites a bit more interactive and beautiful with things like javascript image carrousels but also XHR requests and AJAX requests to the backend server to automatically fill in a page. Javascript can do many things and for this reason it’s of interest to us.

We can either analyze a javascript file statically (not running it) and dynamically (debugging or running it). We will mostly focus on static analysis here.

What does a JS file contain?

Besides the regular cross site scripting sinks (locations where our XSS attack vector is reflected in the JS) we can also find several other juicy secrets in there that we can use.

These secrets can contain but are not limited to:

  • New endpoints, one time i found a whole list of endpoints in the comments
  • Hidden parameters
  • API keys, sometimes they are supposed to be public though, so be careful with these. Verify the impact before you report! https://github.com/streaak/keyhacks
  • Business logic, which we might be able to abuse like client side calculations of prizes
  • Secrets/passwords
  • Potentially dangerous areas in the javascript code such as eval() or setinnerhtml(). These are DOM sinks and can lead to DOM XSS

Attack strategy

For our attack stragey we first need to gather all the javascript files from a website. We have several options to do this automatically for us or we can look in the HTML source code manually but this will not catch all the JS files as some files might be called nested (a JS file called from inside another JS file), these would not show up in our initial manual scan.

Using BURP SUITE

For our automatic scan we will want to use burp filters later on to explore all of our javascript files. To do this:

  • Open burp
  • Set your scope right
  • Explore the site manually by clicking around
  • Open the burp site map tab
  • Click on the “Filter” Box
  • Click on the “Script” checkbox and make sure it’s the only one active under “Mime type”
  • Under “Filter by file extension” , click “Show only” and fill in JS in the box

If you have burp suite pro, you can also right click on your target in the site map and under the engagement tools you will the option to “Find scripts”. This will effectively do the same after exploring your target manually but the results will be displayed prettier.

Using waybackurls

Install waybackurls, using this tool we can also grep for any JS files that might not be linked anymore but still online.

go get github.com/tomnomnom/waybackurlswaybackurls google.com | grep "\\.js" | uniq | sort

Defense mechanisms

Developers use a range of defense mechanisms to hold us off but that’s okay. We can get around those by being dilligent and making sure that we take our time.

JS Obfuscation

JS Chunking

  • This is where the developers chops up the JS into little pieces that all reference eachother. Very annoying to get arround and it’s just hard work puzzling together the code

If we are trying to defeat these mechanisms it might help to set up a replica of you targets environment and to run the code statically.

Geek Culture

Proud to geek out.

Sign up for Geek Culture Hits

By Geek Culture

Subscribe to receive top 10 most read stories of Geek Culture — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Thexssrat

Written by

Thexssrat

No b*llshit Hacking tutorials with extreme value in short bursts

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Thexssrat

Written by

Thexssrat

No b*llshit Hacking tutorials with extreme value in short bursts

Geek Culture

A new tech publication by Start it up (https://medium.com/swlh).

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store